Solved: How come [replicationBlacklist] is not working?

sylim_splunk · ‎11-12-2018

We have a list of large lookup files that are not supposed to be included in the search bundles. Their configurations are below. However, we have found that they are still in the bundle.

[replicationBlacklist] 
blacklist_lookups = [\/\_\.\-](backups)[_\.\-\/\\]

The files looks like this in the file system;

apps/DA-ESS-AccessProtection/lookups/lookup_file_backups/abc2.csv
apps/DA-ESS-AccessProtection/lookups/lookup_file_backups/bcd1.csv
apps/search/lookups/lookup_file_backups/abcd5.csv
apps/DA-ESS-ThreatIntelligence/lookups/lookup_file_backups/abcd4
apps/SplunkEnterpriseSecuritySuite/lookups/lookup_file_backups/xyz10.csv

I've checked this regex in "regex101.com" which works fine for the above.

sylim_splunk · ‎11-12-2018

The replicationBlacklist support regex but it appends "$SPLUNK_HOME/etc" to the regex you configured. i.e, SPLUNK_HOME=/opt/splunk
When splunk applies the regex above, it would be like "/opt/splunk/\/_.-[_.-\/] ", which is the reason your lookup files are not filtered out by the blacklist.

Please try the below;

[replicationBlacklist]
blacklist_lookups = apps/*/lookups/lookup_file_backups/*.csv

View solution in original post

sylim_splunk · ‎11-12-2018

The replicationBlacklist support regex but it appends "$SPLUNK_HOME/etc" to the regex you configured. i.e, SPLUNK_HOME=/opt/splunk
When splunk applies the regex above, it would be like "/opt/splunk/\/_.-[_.-\/] ", which is the reason your lookup files are not filtered out by the blacklist.

Please try the below;

[replicationBlacklist]
blacklist_lookups = apps/*/lookups/lookup_file_backups/*.csv

How come [replicationBlacklist] is not working?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...