Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Whitelist a lookup for bundle replication

pradeepkumarg
Influencer
‎05-18-2020 06:29 PM

I blacklist lookups from bundle replication by size in distsearch.conf as below

[replicationSettings]
excludeReplicatedLookupSize = 2

I now have a requirement to bypass the above condition for a specific lookup that is greater than 2 MB.
Is there a way I can craft the white list to take precedence just for the lookup that I need?
The reason I need this as part of the bundle is because I use this lookup as an auto lookup and is growing in size.

Labels (1)
Labels
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-27-2020 03:58 AM

Can you put the lookup in an app and deploy it to your search heads and indexers?

0 Karma
Reply

pradeepkumarg
Influencer
‎05-28-2020 08:45 PM

Hi @jkat54 the lookup is auto generated on a daily basis from a search and new records are added every day. Having to push the app to search heads and indexer will be a manual process every day.

0 Karma
Reply

PavelP
Motivator
‎05-27-2020 01:19 AM

Hello @gpradeepkumarreddy,

not a response that you asking, but a suggestion anyway:

  • is switching to KVstore instead of static lookup an option?

Please consider KV-Store vs CSV lookup:
https://dev.splunk.com/enterprise/docs/developapps/kvstore/#The-KV-Store-vs-CSV-files

https://dev.splunk.com/enterprise/docs/developapps/kvstore/migrateyourappfromusingcsv/

  • another options is to use gziped CSV files.
0 Karma
Reply

pradeepkumarg
Influencer
‎05-28-2020 09:09 PM

Hi @PavelP can you provide any pointers for using gziped csv files?

0 Karma
Reply

kmugglet
Communicator
‎05-28-2020 10:52 PM

if you append .gz to the csv file name, it will automatically compress/decompress the resulting lookup file.

e.g. | outputlookup lookup.csv
becomes
| outputlookup lookup.csv.gz

Can save a lot of space.

Obviously there are caveats.
You cannot append to a compressed lookup

0 Karma
Reply

pradeepkumarg
Influencer
‎05-29-2020 02:14 PM

Good to know. In my case the lookup gets appended every day with new records. So I guess not an option for me.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...