All Apps and Add-ons

Bug in Splunk_SA_Scientific_Python_linux_x86_64 3.0.1

ww9rivers
Communicator

The package's default/distsearch.conf contains a stanza, apparently to exclude the package itself from search bundles:

 

[replicationDenylist]
noanaconda = apps[/\\]Splunk_SA_Scientific_Python*[/\\]...

 

Except that, there is no "replicationDenylist" in this conf file, according to the documentation. It should have been "replicationBlacklist" according to the document and our experiment. This package is big, so when it is not excluded from search bundles, it causes search bundle size to exceed the size limitation.

I reported this to Splunk in a support case. But the support engineer insists that "this is not a bug, this is just information wrongly added in the documentation."

Labels (2)
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Get your account team involved.  This is a bug and Support should not be telling you otherwise.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

ktvrznik
Loves-to-Learn Lots

I had the same issue.  It exceeded bundle replication limit and in this state you cant search on the SHC captain.
So off course. This is bug.


Solution: Rename  [replicationDenylist] to [replicationBlacklist] in.../Splunk_SA_Scientific_Python_linux_x86_64/default/distsearch.conf or create local version of this file

0 Karma

ww9rivers
Communicator

I understand what you said and I know that change is in progress.

However, the app clearly states that it is for versions 8.0, 8.1, and 8.2. I have read the documents for the latest version of Splunk, as well as that for version 8.1.5, which is what we are running.

Not sure what you mean by "the error in your local distsearch.conf file". I did not have a local/distsearch.conf file. I had to create a local/distsearch.conf file to work around this bug.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@ww9rivers wrote:

I understand what you said and I know that change is in progress.

However, the app clearly states that it is for versions 8.0, 8.1, and 8.2. I have read the documents for the latest version of Splunk, as well as that for version 8.1.5, which is what we are running.

This covers my first point.  

You should submit feedback on the docs pages so the Documentation team is aware of the discrepancy and can correct it (they're good about that).

Not sure what you mean by "the error in your local distsearch.conf file". I did not have a local/distsearch.conf file. I had to create a local/distsearch.conf file to work around this bug.


That is exactly what I meant.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ww9rivers
Communicator

@richgalloway wrote:

You should submit feedback on the docs pages so the Documentation team is aware of the discrepancy and can correct it (they're good about that).

But it is NOT a documentation error. Splunk 8.1.5 works with [replicationBlacklist], as the document correctly states. It does NOT work with [replicationDenylist].

Not sure what you mean by "the error in your local distsearch.conf file". I did not have a local/distsearch.conf file. I had to create a local/distsearch.conf file to work around this bug.


That is exactly what I meant.


Sorry, I do not understand what exactly you mean.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There are two problems.

1) default/distsearch.conf uses an unsupported stanza name.  This should be submitted as a P1 bug.  Allow Support to lower it to P2 once they provide the local/distsearch.conf workaround.  It is, however, a bug so don't let Support tell you otherwise.

2) The documentation is incorrect in that it doesn't reflect what the app ships with.  Report that and the Docs team can pressure Dev to fix the bug.

---
If this reply helps you, Karma would be appreciated.
0 Karma

ww9rivers
Communicator

1) As I stated in my first post, I reported that as a bug to Splunk Support. But the support engineer insists that it is not a bug, but a documentation error. I have not been able to convince him/her in any way.

2) The documentation is NOT incorrect as far as reflecting what the Splunk core recognizes as a correct keyword -- note that this stanza works for all other apps as well, not just this app.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Get your account team involved.  This is a bug and Support should not be telling you otherwise.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk is in the process of changing bias language in its products.  For example, "blacklist" is being replaced by "denylist".  You may have found a case where one product was ahead of another in making that change.  Here's what you can do:

  1. Make sure the version of the app is correct for the version of Splunk you use.
  2. Make sure you're reading the correct version of the documentation.  If you re then submit documentation feedback about the error.
  3. Correct the error in your local distsearch.conf file.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...