Splunk Enterprise Security Certified Analyst — Question 35

A customer with a large distributed environment has blacklisted a large lookup from the search bundle to decrease the bundle size using distsearch.conf.
After this change, when running searches utilizing the lookup that was blacklisted they see error messages in the Splunk Search UI stating the lookup file does not exist.
What can the customer do to resolve the issue?

Answer options

• A. The search needs to be modified to ensure the lookup command specifies parameter local=true.
• B. The blacklisted lookup definition stanza needs to be modified to specify setting allow_caching=true.
• C. The search needs to be modified to ensure the lookup command specified parameter blacklist=false.
• D. The lookup cannot be blacklisted; the change must be reverted.

Correct answer: A

Explanation

The correct answer is A because setting the parameter local=true allows the search to use the lookup locally from the search head, bypassing the blacklisting. The other options do not address the issue effectively: modifying allow_caching does not resolve the lookup absence, changing blacklist=false contradicts the purpose of blacklisting, and reverting the change is not a feasible solution if the customer wants to keep the reduced bundle size.