Closed ljstella closed 3 months ago
Confirmed that we don't currently update this value when generating a build from a new repo:
$ cat dist/ContentPack/default/distsearch.conf
[replicationSettings:refineConf]
replicate.analytic_stories = false
[replicationDenylist]
excludeESCU = apps[/\\]DA-ESS-ContentUpdate[/\\]lookups[/\\]...
Removing the file entirely from the app_template so that users: 1) don't get our config when they don't need it 2) can ship without a distsearch.conf specific to their content app until they need it 3) can manage it themselves.
Just for reference, I am including the distsearch.conf that we ship in the app_template
folder for ESCU, specifically: https://github.com/splunk/security_content/blob/develop/app_template/default/distsearch.conf
Additionally, here is some more reference information about this file: https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Distsearchconf
Renamed
[replicationBlacklist]
to[replicationDenylist]
per documentation.While working on that, I realized we have hardcoded references to
DA-ESS-ContentUpdate
andESCU
in the distsearch.conf template. We should figure a way to remove those as part of this too. Alternatively, we could remove it entirely and let folks decide when to add their own replication denylist by hand, when they need it, covering the files they need.