Closed guilhemmarchand closed 2 years ago
# Used to cache the list of object / object_category from data sources, hosts and metric hosts collection according to
# the allow and blocking lists definitions
# This is used for instance for SLA reporting purposes
# Until version 1.2.53, the replication was enable for the following purpose:
# This collection should be replicated to the indexers to get benefits from a shared work with indexers
# while accessing summary events for SLA reporting
# Due to some Splunk weakness in specific contexts with corrupted Metadata, its replication was disabled in 1.2.54
# This has very limited to no real impact while it technically made sense to distribute the load for best performance purposes
# The lookup content is limited to the list of known objects, their caetegory, allowance and last processed epoch
[kv_trackme_objects_summary]
replicate = false
Disable the replication has no functional effects and is 100% safe to be done at OOTB level.
It has been reported that corrupted content (itself due to corrupted Meta in customer's env) could be linked to some Splunk Cloud issues in the stacks related to Splunk weakness in the KVstore indexing process when the content has some unquote string.
Given that TrackMe does not really needs the replication and the automatic lookup, the app and searches live perfectly fine without it, I am making the decision that small benefits (distributing the lookup search to indexers) is not worth compared to potential issues.