Knowledge bundles and deployed apps

rtadams89 · ‎04-20-2014

If I have an app that contains lookup tables installed on my search heads AND on my indexers, can I blacklist that app from being replicated in the knowledge bundle (to reduce the bundle size)? It would seem that if the same lookup apps exist on both the search head and indexer, there would be no need to replicate the same data again from from search head to indexer...

kaufmanm · ‎04-20-2014

I don't know that this will work if you need to use the lookup on the search nodes, but I think it's your best bet, so I'd try it out and see what happens. On the search head, edit distsearch.conf and add the below stanza:

[replicationBlacklist]
large_lookup = name_of_lookup_file.csv

Then restart Splunk on the search head and see if the searches you need still work.

Source: Splunk docs

rtadams89 · ‎04-20-2014

I'm trying this now, but due to the number of apps and the variety of things I would like to blacklist (e.g., in addition to the lookup files, there are a bunch of bat/py/sh scripts, props/transforms .conf files, etc.) I'm not sure I can test all potential issues.

Knowledge bundles and deployed apps

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...