I'm using Splunk Enterprise **6.5.3.1** and I'm trying to exclude the lookups from the Splunk Security Essentials app using the following settings in distsearch.conf. If I add it to etc\apps\Splunk_Security_Essentials\local\distsearch.conf it has no effect but If I add it to etc\system\local\distsearch.conf it works as expected. I used the command `splunk cmd btool distsearch list` to confirm that the setting was being detected in both cases.
[replicationBlacklist]
excludeSSE2 = apps\Splunk_Security_Essentials\lookups...
This seems to be a bug in Splunk rather than in the app but I cannot find any reference to it in the [6.5.3 Known Issues][1]. Our version of Splunk 6.5.3.1 is not a typo - it is a privately released version from Splunk Support for another issue but I am sure that is not related.
[1]: https://docs.splunk.com/Documentation/Splunk/6.5.3/ReleaseNotes/Knownissues
↧