Deployment Architecture

Blacklist help in serverclass.conf

cramasta
Builder

I have a set of servers that following a naming scheme like ddpamq-la-c9000

I want all servers that match ddpamq-* to get the test-fwd app except for a select few.

None of the servers listed in the blacklist settings below seem to work and the app still goes to them

[global]
blacklist.0 = *

[serverClass:test-fwd]
filterType = whitelist
whitelist.0 = ddpamq-*

[serverClass:test-fwd:app:test-fwd]
filterType = whitelist
whitelist.0 = ddpamq-nj-*
whitelist.1 = ddpamq-la-*
blacklist.0 = ddpamq-la-c007*
blacklist.1 = ddpamq-la-c008*
blacklist.2 = ddpamq-nj-c007*
blacklist.3 = ddpamq-nj-c008*
blacklist.4 = ddpamq-la-c301*
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True

0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

The whitelist and blacklist items are PCRE regexs, with * being mapped to ".*". This then makes the regex blacklist.0 = "ddpamq-.*-c.* and then won't match anything. So I would use a better formed regex, since ".*" matches everything.

whitelist.0 = ddpamq-\w+-[^c]\d+

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverclassconf

View solution in original post

cramasta
Builder

Yes I did. What I found was that the forwarder no longer showed the test-fwd app in the apps directory but it was still forwarding the data. After restarting the forwarder the logs stopped coming in. Seems like the restartSplunkd = True setting didnt take place once the app was removed 😕 Thanks for the help though, I have a better understanding of how to work with blacklists now.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

And you are reloading the deploy-server, right? splunk reload deploy-server -class test-fwd

0 Karma

cramasta
Builder

Looking at the docs it seems like I am trying to do what is listed in this example. Not sure how what I have listed above is different then this example

Example of when filterType is whitelist
whitelist.0=*.splunk.com
blacklist.0=printer.splunk.com
blacklist.1=scanner.splunk.com

0 Karma

clymbouris
Path Finder

If the regex by the more experienced splunker above doesn't work then try using a bit of a different syntax and put the app on the bottom. That's how I have them in my environment

[serverClass:test-fwd]
filterType = whitelist
whitelist.0 = ddpamq-*
blacklist.0 = ddpamq--c
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True
[serverClass:test-fwd:app:test-fwd]

or try to blacklist filter type

[serverClass:test-fwd]
filterType = blacklist
blacklist.0 = ddpamq--c
whitelist.0 = ddpamq-*
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True
[serverClass:test-fwd:app:test-fwd]

or maybe it's a combination of the regex above and this

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

The whitelist and blacklist items are PCRE regexs, with * being mapped to ".*". This then makes the regex blacklist.0 = "ddpamq-.*-c.* and then won't match anything. So I would use a better formed regex, since ".*" matches everything.

whitelist.0 = ddpamq-\w+-[^c]\d+

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverclassconf

alacercogitatus
SplunkTrust
SplunkTrust

In that case, if the total number of servers is manageable, I would add them explicitly.

[serverClass:test-fwd:app:test-fwd]
filterType = blacklist
blacklist.0 = ddpamq-nj-c9000
blacklist.1 = ddpamq-ny-c9000
blacklist.2 = ddpamq-pa-39d00
blacklist.x = whatever
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True

cramasta
Builder

would this cause the app to get pushed to all forwarders except what matched the blacklist? If so that wont work as there are other servers out there with different naming schemes that should not get the test-fwd app.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Try this. It sets the default as "match" (via filterType of blacklist) and then blacklists the matching servers.

[serverClass:test-fwd:app:test-fwd]
filterType = blacklist
blacklist.0 = ddpamq-[^-]+-c\d+
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True

0 Karma

cramasta
Builder

Thanks I see what you did with the whitelist and how that would work. I should have provided a better example of what I needed to do though. I have hundreds of forwarders but only need to blacklist about 5 of them from the app. If you look at my original post I updated it with an example that does a better job of showing what I'm trying to do

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...