Getting Data In

How to apply replicationblacklist for a particular app in distsearch.conf?

pavanae
Builder

On my replication bundle I have a whole list of unwanted files that exists from a particular App "XYZ" which are as shown below 

 

 

apps/XYZ/bin/suds/mx/typer.pyc
apps/XYZ/bin/suds/mx/encoded.py
apps/XYZ/bin/suds/mx/__init__.pyc
apps/XYZ/bin/suds/mx/literal.py
apps/XYZ/bin/suds/mx/__init__.py
apps/XYZ/bin/suds/options.py
apps/XYZ/bin/suds/sudsobject.py

 

 

Now, how can i apply replicationblacklist to anything that is under the APP "XYZ" ? 

 

distsearch.conf

 

[replicationBlacklist]

....

 

Labels (3)
0 Karma

youngsuh
Contributor

how do you validate that the setting is working?  do you use BTOOL?

Tags (1)
0 Karma

danielcj
Communicator

Hello,

Please, try that:

 

[replicationBlacklist]
block_suds_mx_files = apps/XYZ/bin/suds/mx/*.(py$|pyc$)
block_suds_files = apps/XYZ/bin/suds/*.(py$|pyc$)

 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Use [replicationDenylist] stanza instead, the above stanza you mentioned has been deprecated.

0 Karma

Senak
Loves-to-Learn Everything

Hello @VatsalJagani ,

Can this work for shcluster when i have my app in etc/shcluster/app ? 

In other word can i blacklist an app located in etc/shcluster/app/?

It has to be done on the deployer right?

Thanks

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Yes, it will work.

How:

  • Replicate happens by the search head cluster captain.
  • Whatever you have under etc/shcluster/apps directory on the deployer will be moved to etc/apps directory on all the search heads including the captain.
  • Hence denylist should work as it would work on the standalone instance.

 

0 Karma

Senak
Loves-to-Learn Everything
  • Ok great, so now , that conf has to be made in etc/shcluster/apps/<my_app>/local/distsearch.conf?
  • Next does that mean the files blacklisted are not going to be in the bundle send to the sh members so not updated but they will not be deleted right?
  • My last question, is it possible to tell splunk to not update a whole app , instead of blacklisting files. My challenge is that i have space issue on the deployer when deploying a new app.

Any ideas

Thanks

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@Senak - Below are answers to your questions:

  • yes.
  • Splunk indexers (peers) will gonna use the latest bundle only. Now whether to send a full bundle or bundle delta that's up to Splunk. And it's not gonna affect how your files should behave.
  • Can you please explain how size is affecting what you need to push from the deployer?

 

0 Karma

Senak
Loves-to-Learn Everything

@VatsalJagani 

This is the error i am dealing with when trying to push a new app on my SH cluster. 

 

 

 

Error while creating deployable apps: Error compressing the temporary tarball: /opt/splunk/var/run/splunk/deploy.1805b9b8294a5b90.tmp/apps/SplunkEnterpriseSecuritySuite.bundle: No space left on device

 

 

 

It seems like Splunk Enterprise bundle is too big. How can i reduce it size or even prevent splunk to create a bundle for it?

Kind regards

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

I would say create disk space on the deployer and SH for the bundle, that would be my advise.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...