Deployment Architecture

Blacklist help in serverclass.conf

cramasta
Builder

I have a set of servers that following a naming scheme like ddpamq-la-c9000

I want all servers that match ddpamq-* to get the test-fwd app except for a select few.

None of the servers listed in the blacklist settings below seem to work and the app still goes to them

[global]
blacklist.0 = *

[serverClass:test-fwd]
filterType = whitelist
whitelist.0 = ddpamq-*

[serverClass:test-fwd:app:test-fwd]
filterType = whitelist
whitelist.0 = ddpamq-nj-*
whitelist.1 = ddpamq-la-*
blacklist.0 = ddpamq-la-c007*
blacklist.1 = ddpamq-la-c008*
blacklist.2 = ddpamq-nj-c007*
blacklist.3 = ddpamq-nj-c008*
blacklist.4 = ddpamq-la-c301*
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True

0 Karma
1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

The whitelist and blacklist items are PCRE regexs, with * being mapped to ".*". This then makes the regex blacklist.0 = "ddpamq-.*-c.* and then won't match anything. So I would use a better formed regex, since ".*" matches everything.

whitelist.0 = ddpamq-\w+-[^c]\d+

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverclassconf

View solution in original post

cramasta
Builder

Yes I did. What I found was that the forwarder no longer showed the test-fwd app in the apps directory but it was still forwarding the data. After restarting the forwarder the logs stopped coming in. Seems like the restartSplunkd = True setting didnt take place once the app was removed 😕 Thanks for the help though, I have a better understanding of how to work with blacklists now.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

And you are reloading the deploy-server, right? splunk reload deploy-server -class test-fwd

0 Karma

cramasta
Builder

Looking at the docs it seems like I am trying to do what is listed in this example. Not sure how what I have listed above is different then this example

Example of when filterType is whitelist
whitelist.0=*.splunk.com
blacklist.0=printer.splunk.com
blacklist.1=scanner.splunk.com

0 Karma

clymbouris
Path Finder

If the regex by the more experienced splunker above doesn't work then try using a bit of a different syntax and put the app on the bottom. That's how I have them in my environment

[serverClass:test-fwd]
filterType = whitelist
whitelist.0 = ddpamq-*
blacklist.0 = ddpamq--c
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True
[serverClass:test-fwd:app:test-fwd]

or try to blacklist filter type

[serverClass:test-fwd]
filterType = blacklist
blacklist.0 = ddpamq--c
whitelist.0 = ddpamq-*
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True
[serverClass:test-fwd:app:test-fwd]

or maybe it's a combination of the regex above and this

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

The whitelist and blacklist items are PCRE regexs, with * being mapped to ".*". This then makes the regex blacklist.0 = "ddpamq-.*-c.* and then won't match anything. So I would use a better formed regex, since ".*" matches everything.

whitelist.0 = ddpamq-\w+-[^c]\d+

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverclassconf

alacercogitatus
SplunkTrust
SplunkTrust

In that case, if the total number of servers is manageable, I would add them explicitly.

[serverClass:test-fwd:app:test-fwd]
filterType = blacklist
blacklist.0 = ddpamq-nj-c9000
blacklist.1 = ddpamq-ny-c9000
blacklist.2 = ddpamq-pa-39d00
blacklist.x = whatever
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True

cramasta
Builder

would this cause the app to get pushed to all forwarders except what matched the blacklist? If so that wont work as there are other servers out there with different naming schemes that should not get the test-fwd app.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Try this. It sets the default as "match" (via filterType of blacklist) and then blacklists the matching servers.

[serverClass:test-fwd:app:test-fwd]
filterType = blacklist
blacklist.0 = ddpamq-[^-]+-c\d+
repositoryLocation = /opt/splunk/etc/deployment-apps
stateOnClient = enabled
restartSplunkd = True

0 Karma

cramasta
Builder

Thanks I see what you did with the whitelist and how that would work. I should have provided a better example of what I needed to do though. I have hundreds of forwarders but only need to blacklist about 5 of them from the app. If you look at my original post I updated it with an example that does a better job of showing what I'm trying to do

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...