Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Groups of hosts for serverclass.conf?

gowen
Path Finder
‎02-22-2012 12:51 PM

Is there any way to group hosts so that a group can be specified in the serverclass.conf whitelist/blacklist rather than hostname regexes? Past a certain number of hosts using regexes like that gets complex and needs to be repeated for each stanza. I'd rather set up a 'webserver' group and throw all my web servers in it and then use that for the various stanzas that want to address those servers.

Tags (2)
Reply

bwooden
Splunk Employee
Splunk Employee
‎02-22-2012 01:10 PM

You may group servers by:

  • Any clientName specified by the client in its deploymentclient.conf file
  • The ip address of the connected client
  • The hostname of the connected client as provided by reverse DNS lookup
  • The hostname of the client as provided by the client

You can also group them by the type of operating system.

-http://docs.splunk.com/Documentation/Splunk/latest/admin/Serverclassconf

...so if you have servers named like web01 and web02, you can include them with one whitelist 

whitelist.0=web\d{2}

or

whitelist.0=web0(1|2)

etc.

You may also set the clientName to 'webserver' on each box in deploymentclient.conf, such that you could use

whitelist.0=webserver
0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎02-22-2012 01:47 PM

You can often achieve the result via inheritance - but I see your point. It is not possible to explicitly say one serverclass contains another serverclass. This would be a great enhancement request.

0 Karma
Reply

gowen
Path Finder
‎02-22-2012 01:23 PM

Those are all 'specify or filter host' solutions with no re-use between stanzas, so it seems the answer is "no, no groups"?

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...