Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Whitelist a lookup for bundle replication

pradeepkumarg
Influencer
‎05-18-2020 06:29 PM

I blacklist lookups from bundle replication by size in distsearch.conf as below

[replicationSettings]
excludeReplicatedLookupSize = 2

I now have a requirement to bypass the above condition for a specific lookup that is greater than 2 MB.
Is there a way I can craft the white list to take precedence just for the lookup that I need?
The reason I need this as part of the bundle is because I use this lookup as an auto lookup and is growing in size.

Labels (1)
Labels
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-27-2020 03:58 AM

Can you put the lookup in an app and deploy it to your search heads and indexers?

0 Karma
Reply

pradeepkumarg
Influencer
‎05-28-2020 08:45 PM

Hi @jkat54 the lookup is auto generated on a daily basis from a search and new records are added every day. Having to push the app to search heads and indexer will be a manual process every day.

0 Karma
Reply

PavelP
Motivator
‎05-27-2020 01:19 AM

Hello @gpradeepkumarreddy,

not a response that you asking, but a suggestion anyway:

  • is switching to KVstore instead of static lookup an option?

Please consider KV-Store vs CSV lookup:
https://dev.splunk.com/enterprise/docs/developapps/kvstore/#The-KV-Store-vs-CSV-files

https://dev.splunk.com/enterprise/docs/developapps/kvstore/migrateyourappfromusingcsv/

  • another options is to use gziped CSV files.
0 Karma
Reply

pradeepkumarg
Influencer
‎05-28-2020 09:09 PM

Hi @PavelP can you provide any pointers for using gziped csv files?

0 Karma
Reply

kmugglet
Communicator
‎05-28-2020 10:52 PM

if you append .gz to the csv file name, it will automatically compress/decompress the resulting lookup file.

e.g. | outputlookup lookup.csv
becomes
| outputlookup lookup.csv.gz

Can save a lot of space.

Obviously there are caveats.
You cannot append to a compressed lookup

0 Karma
Reply

pradeepkumarg
Influencer
‎05-29-2020 02:14 PM

Good to know. In my case the lookup gets appended every day with new records. So I guess not an option for me.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...