I don't understand why Splunk implemented a priority architecture which can overwrite another app's property. I wanted to blacklist each app's csvs and i used the Stanzas as below in distsearch.conf. To my suprise, one of the apps csvs were not blacklisted.
excludeLookup = apps/app1_kpi/lookups/*.csv
excludeLookup = apps/app2_kpi/lookups/*.csv
Both are global sharing. We changed the sharing but got same result.
Will Splunk change this architecture in future? This is very dangerous for managing. The app concept is fundamental violated.
... View more