The package's default/distsearch.conf contains a stanza, apparently to exclude the package itself from search bundles:
[replicationDenylist]
noanaconda = apps[/\\]Splunk_SA_Scientific_Python*[/\\]...
Except that, there is no "replicationDenylist" in this conf file, according to the documentation. It should have been "replicationBlacklist" according to the document and our experiment. This package is big, so when it is not excluded from search bundles, it causes search bundle size to exceed the size limitation.
I reported this to Splunk in a support case. But the support engineer insists that "this is not a bug, this is just information wrongly added in the documentation."
Get your account team involved. This is a bug and Support should not be telling you otherwise.
I had the same issue. It exceeded bundle replication limit and in this state you cant search on the SHC captain.
So off course. This is bug.
Solution: Rename [replicationDenylist] to [replicationBlacklist] in.../Splunk_SA_Scientific_Python_linux_x86_64/default/distsearch.conf or create local version of this file
I understand what you said and I know that change is in progress.
However, the app clearly states that it is for versions 8.0, 8.1, and 8.2. I have read the documents for the latest version of Splunk, as well as that for version 8.1.5, which is what we are running.
Not sure what you mean by "the error in your local distsearch.conf file". I did not have a local/distsearch.conf file. I had to create a local/distsearch.conf file to work around this bug.
@ww9rivers wrote:I understand what you said and I know that change is in progress.
However, the app clearly states that it is for versions 8.0, 8.1, and 8.2. I have read the documents for the latest version of Splunk, as well as that for version 8.1.5, which is what we are running.
This covers my first point.
You should submit feedback on the docs pages so the Documentation team is aware of the discrepancy and can correct it (they're good about that).
Not sure what you mean by "the error in your local distsearch.conf file". I did not have a local/distsearch.conf file. I had to create a local/distsearch.conf file to work around this bug.
That is exactly what I meant.
@richgalloway wrote:You should submit feedback on the docs pages so the Documentation team is aware of the discrepancy and can correct it (they're good about that).
But it is NOT a documentation error. Splunk 8.1.5 works with [replicationBlacklist], as the document correctly states. It does NOT work with [replicationDenylist].
Not sure what you mean by "the error in your local distsearch.conf file". I did not have a local/distsearch.conf file. I had to create a local/distsearch.conf file to work around this bug.
That is exactly what I meant.
Sorry, I do not understand what exactly you mean.
There are two problems.
1) default/distsearch.conf uses an unsupported stanza name. This should be submitted as a P1 bug. Allow Support to lower it to P2 once they provide the local/distsearch.conf workaround. It is, however, a bug so don't let Support tell you otherwise.
2) The documentation is incorrect in that it doesn't reflect what the app ships with. Report that and the Docs team can pressure Dev to fix the bug.
1) As I stated in my first post, I reported that as a bug to Splunk Support. But the support engineer insists that it is not a bug, but a documentation error. I have not been able to convince him/her in any way.
2) The documentation is NOT incorrect as far as reflecting what the Splunk core recognizes as a correct keyword -- note that this stanza works for all other apps as well, not just this app.
Get your account team involved. This is a bug and Support should not be telling you otherwise.
Splunk is in the process of changing bias language in its products. For example, "blacklist" is being replaced by "denylist". You may have found a case where one product was ahead of another in making that change. Here's what you can do: