Use [replicationDenylist] stanza instead, the above stanza you mentioned has been deprecated.

Hello @VatsalJagani ,

Can this work for shcluster when i have my app in etc/shcluster/app ? 

In other word can i blacklist an app located in etc/shcluster/app/?

It has to be done on the deployer right?

Thanks

Yes, it will work.

How:

• Replicate happens by the search head cluster captain.
• Whatever you have under etc/shcluster/apps directory on the deployer will be moved to etc/apps directory on all the search heads including the captain.
• Hence denylist should work as it would work on the standalone instance.

• Ok great, so now , that conf has to be made in etc/shcluster/apps/<my_app>/local/distsearch.conf?
• Next does that mean the files blacklisted are not going to be in the bundle send to the sh members so not updated but they will not be deleted right?
• My last question, is it possible to tell splunk to not update a whole app , instead of blacklisting files. My challenge is that i have space issue on the deployer when deploying a new app.

Any ideas

Thanks

@Senak - Below are answers to your questions:

• yes.
• Splunk indexers (peers) will gonna use the latest bundle only. Now whether to send a full bundle or bundle delta that's up to Splunk. And it's not gonna affect how your files should behave.
• Can you please explain how size is affecting what you need to push from the deployer?

@VatsalJagani 

This is the error i am dealing with when trying to push a new app on my SH cluster. 

Error while creating deployable apps: Error compressing the temporary tarball: /opt/splunk/var/run/splunk/deploy.1805b9b8294a5b90.tmp/apps/SplunkEnterpriseSecuritySuite.bundle: No space left on device

It seems like Splunk Enterprise bundle is too big. How can i reduce it size or even prevent splunk to create a bundle for it?

Kind regards

I would say create disk space on the deployer and SH for the bundle, that would be my advise.