We have a list of large lookup files that are not supposed to be included in the search bundles. Their configurations are below. However, we have found that they are still in the bundle.
[replicationBlacklist]
blacklist_lookups = [\/\_\.\-](backups)[_\.\-\/\\]
The files looks like this in the file system;
apps/DA-ESS-AccessProtection/lookups/lookup_file_backups/abc2.csv
apps/DA-ESS-AccessProtection/lookups/lookup_file_backups/bcd1.csv
apps/search/lookups/lookup_file_backups/abcd5.csv
apps/DA-ESS-ThreatIntelligence/lookups/lookup_file_backups/abcd4
apps/SplunkEnterpriseSecuritySuite/lookups/lookup_file_backups/xyz10.csv
I've checked this regex in "regex101.com" which works fine for the above.
The replicationBlacklist support regex but it appends "$SPLUNK_HOME/etc" to the regex you configured. i.e, SPLUNK_HOME=/opt/splunk
When splunk applies the regex above, it would be like "/opt/splunk/\/_.-[_.-\/] ", which is the reason your lookup files are not filtered out by the blacklist.
Please try the below;
[replicationBlacklist]
blacklist_lookups = apps/*/lookups/lookup_file_backups/*.csv
The replicationBlacklist support regex but it appends "$SPLUNK_HOME/etc" to the regex you configured. i.e, SPLUNK_HOME=/opt/splunk
When splunk applies the regex above, it would be like "/opt/splunk/\/_.-[_.-\/] ", which is the reason your lookup files are not filtered out by the blacklist.
Please try the below;
[replicationBlacklist]
blacklist_lookups = apps/*/lookups/lookup_file_backups/*.csv