A customer with a large distributed environment has blacklisted a large lookup from the search bundle to decrease the bundle size using distsearch.conf.
After this change, when running searches utilizing the lookup that was blacklisted they see error messages in the Splunk Search UI stating the lookup file does not exist.
What can the customer do to resolve the issue?
To resolve the issue, the search needs to be modified to ensure the lookup command specifies the parameter local=true. This directs Splunk to perform the lookup locally on the search head rather than relying on the blacklisted file to be present on the search peers. This adjustment allows the search to be successful even if the lookup file is not included in the search bundle.
A is correct
Link https://community.splunk.com/t5/Splunk-Search/Large-lookup-caused-the-bundle-replication-to-fail-What-are-my/m-p/194594
well explained by jcisco123 just added as a vote comment
To resolve the issue, the customer can modify the search to ensure that the lookup command specifies the parameter "local=true". When a lookup is blacklisted in the distsearch.conf file, the lookup file is no longer included in the search bundle and is not available to search peers. As a result, the lookup cannot be used by search peers during distributed searches. However, when the "local=true" parameter is specified in the lookup command, it tells Splunk to perform the lookup locally on the search head, rather than using a distributed search to perform the lookup on the indexers. This means that the lookup file does not need to be present on the search peers, and the search can be successfully executed even if the lookup has been blacklisted. Therefore, the correct answer is A: the customer needs to modify the search to ensure that the lookup command specifies parameter "local=true". Options B and C are not valid solutions to the problem described. Option D is incorrect as lookups can be blacklisted; however, it requires appropriate modifications to searches to avoid errors.
it's not blaclisted csv, so D is correct