I have a set of servers that following a naming scheme like ddpamq-la-c9000
I want all servers that match ddpamq-* to get the test-fwd app except for a select few.
None of the servers listed in the blacklist settings below seem to work and the app still goes to them
[global]
blacklist.0 = *
[serverClass:test-fwd]
filterType = whitelist
whitelist.0 = ddpamq-*
[serverClass:test-fwd:app:test-fwd]
filterType = whitelist
whitelist.0 = ddpamq-nj-*
whitelist.1 = ddpamq-la-*
blacklist.0 = ddpamq-la-c007*
blacklist.1 = ddpamq-la-c008*
blacklist.2 = ddpamq-nj-c007*
blacklist.3 = ddpamq-nj-c008*
blacklist.4 = ddpamq-la-c301*
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True
The whitelist and blacklist items are PCRE regexs, with *
being mapped to ".*"
. This then makes the regex blacklist.0 = "ddpamq-.*-c.*
and then won't match anything. So I would use a better formed regex, since ".*"
matches everything.
whitelist.0 = ddpamq-\w+-[^c]\d+
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverclassconf
Yes I did. What I found was that the forwarder no longer showed the test-fwd app in the apps directory but it was still forwarding the data. After restarting the forwarder the logs stopped coming in. Seems like the restartSplunkd = True setting didnt take place once the app was removed 😕 Thanks for the help though, I have a better understanding of how to work with blacklists now.
And you are reloading the deploy-server, right? splunk reload deploy-server -class test-fwd
Looking at the docs it seems like I am trying to do what is listed in this example. Not sure how what I have listed above is different then this example
Example of when filterType is whitelist
whitelist.0=*.splunk.com
blacklist.0=printer.splunk.com
blacklist.1=scanner.splunk.com
If the regex by the more experienced splunker above doesn't work then try using a bit of a different syntax and put the app on the bottom. That's how I have them in my environment
[serverClass:test-fwd]
filterType = whitelist
whitelist.0 = ddpamq-*
blacklist.0 = ddpamq--c
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True
[serverClass:test-fwd:app:test-fwd]
or try to blacklist filter type
[serverClass:test-fwd]
filterType = blacklist
blacklist.0 = ddpamq--c
whitelist.0 = ddpamq-*
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True
[serverClass:test-fwd:app:test-fwd]
or maybe it's a combination of the regex above and this
The whitelist and blacklist items are PCRE regexs, with *
being mapped to ".*"
. This then makes the regex blacklist.0 = "ddpamq-.*-c.*
and then won't match anything. So I would use a better formed regex, since ".*"
matches everything.
whitelist.0 = ddpamq-\w+-[^c]\d+
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverclassconf
In that case, if the total number of servers is manageable, I would add them explicitly.
[serverClass:test-fwd:app:test-fwd]
filterType = blacklist
blacklist.0 = ddpamq-nj-c9000
blacklist.1 = ddpamq-ny-c9000
blacklist.2 = ddpamq-pa-39d00
blacklist.x = whatever
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True
would this cause the app to get pushed to all forwarders except what matched the blacklist? If so that wont work as there are other servers out there with different naming schemes that should not get the test-fwd app.
Try this. It sets the default as "match" (via filterType of blacklist) and then blacklists the matching servers.
[serverClass:test-fwd:app:test-fwd]
filterType = blacklist
blacklist.0 = ddpamq-[^-]+-c\d+
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True
Thanks I see what you did with the whitelist and how that would work. I should have provided a better example of what I needed to do though. I have hundreds of forwarders but only need to blacklist about 5 of them from the app. If you look at my original post I updated it with an example that does a better job of showing what I'm trying to do