Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Whitelist a lookup for bundle replication
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whitelist a lookup for bundle replication
I blacklist lookups from bundle replication by size in distsearch.conf as below
[replicationSettings]
excludeReplicatedLookupSize = 2
I now have a requirement to bypass the above condition for a specific lookup that is greater than 2 MB.
Is there a way I can craft the white list to take precedence just for the lookup that I need?
The reason I need this as part of the bundle is because I use this lookup as an auto lookup and is growing in size.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you put the lookup in an app and deploy it to your search heads and indexers?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @jkat54 the lookup is auto generated on a daily basis from a search and new records are added every day. Having to push the app to search heads and indexer will be a manual process every day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @gpradeepkumarreddy,
not a response that you asking, but a suggestion anyway:
- is switching to KVstore instead of static lookup an option?
Please consider KV-Store vs CSV lookup:
https://dev.splunk.com/enterprise/docs/developapps/kvstore/#The-KV-Store-vs-CSV-files
https://dev.splunk.com/enterprise/docs/developapps/kvstore/migrateyourappfromusingcsv/
- another options is to use gziped CSV files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @PavelP can you provide any pointers for using gziped csv files?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you append .gz to the csv file name, it will automatically compress/decompress the resulting lookup file.
e.g. | outputlookup lookup.csv
becomes
| outputlookup lookup.csv.gz
Can save a lot of space.
Obviously there are caveats.
You cannot append to a compressed lookup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to know. In my case the lookup gets appended every day with new records. So I guess not an option for me.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
