Deployment Architecture

How do i configure serverclass.conf for a deployment server?

Chris_R_
Splunk Employee
Splunk Employee

How do i configure a serverclass.conf for a deployment server, with multiple apps based on host connections?

Tags (1)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

The following is a good example. It shows use of a few features:

  • Using the [global] section to set global defaults
  • Using machine types to select classes
  • Layering multiple classes and multiple apps
  • Using appFile to push out an app from a different name
  • Removing apps by pushing out emptyapp, which should be an app folder that contains only an empty local folder

serverclass.conf:

[global]
stateOnClient = enabled
blacklist.0=*
continueMatching = true

[serverClass:base]
whitelist.0=*
[serverClass:base:app:myapp1_props]


[serverClass:forwarders]
whitelist.0=*
[serverClass:forwarders:app:forwarder_base]
restartSplunkd = true
[serverClass:forwarders:app:sample_app]
stateOnClient = disabled
[serverClass:forwarders:app:gettingstarted]
stateOnClient = disabled

[serverClass:winforwarders]
machineTypes = windows-intel,windows-x64
[serverClass:winforwarders:app:SplunkLightForwarder-win]
restartSplunkd = true
[serverClass:winforwarders:app:wininputs]
restartSplunkd = true
[serverClass:winforwarders:app:SplunkLightForwarder]
appFile = emptyapp
stateOnClient = disabled


[serverClass:linforwarders]
machineTypes = linux-i686,linux-x86_64
[serverClass:linforwarders:app:SplunkLightForwarder-oth]
restartSplunkd = true
[serverClass:linforwarders:app:SplunkLightForwarder]
stateOnClient = disabled
restartSplunkd = true

[serverClass:myapp1]
whitelist.0=xxx.*
whitelist.1=yyy.*
[serverClass:myapp1:app:myapp1_inputs]
restartSplunkd = true

[serverClass:myapp2]
whitelist.0=10.11.12.*
whitelist.1=10.11.13.*
[serverClass:myapp2:app:myapp2_inputs]
restartSplunkd = true

View solution in original post

mendesjo
Path Finder

I setup a brand new splunk box, and I go to forwarder managment and I get "there is an error in your serverclass.conf which is preventing deployment server from initializing. Please see your serverclass.conf.spec file for more information." Thought this might help but from reading above I dont' don't know how to create a a serverclass.conf or where it goes. What should it be for a new blank server?

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

The following is a good example. It shows use of a few features:

  • Using the [global] section to set global defaults
  • Using machine types to select classes
  • Layering multiple classes and multiple apps
  • Using appFile to push out an app from a different name
  • Removing apps by pushing out emptyapp, which should be an app folder that contains only an empty local folder

serverclass.conf:

[global]
stateOnClient = enabled
blacklist.0=*
continueMatching = true

[serverClass:base]
whitelist.0=*
[serverClass:base:app:myapp1_props]


[serverClass:forwarders]
whitelist.0=*
[serverClass:forwarders:app:forwarder_base]
restartSplunkd = true
[serverClass:forwarders:app:sample_app]
stateOnClient = disabled
[serverClass:forwarders:app:gettingstarted]
stateOnClient = disabled

[serverClass:winforwarders]
machineTypes = windows-intel,windows-x64
[serverClass:winforwarders:app:SplunkLightForwarder-win]
restartSplunkd = true
[serverClass:winforwarders:app:wininputs]
restartSplunkd = true
[serverClass:winforwarders:app:SplunkLightForwarder]
appFile = emptyapp
stateOnClient = disabled


[serverClass:linforwarders]
machineTypes = linux-i686,linux-x86_64
[serverClass:linforwarders:app:SplunkLightForwarder-oth]
restartSplunkd = true
[serverClass:linforwarders:app:SplunkLightForwarder]
stateOnClient = disabled
restartSplunkd = true

[serverClass:myapp1]
whitelist.0=xxx.*
whitelist.1=yyy.*
[serverClass:myapp1:app:myapp1_inputs]
restartSplunkd = true

[serverClass:myapp2]
whitelist.0=10.11.12.*
whitelist.1=10.11.13.*
[serverClass:myapp2:app:myapp2_inputs]
restartSplunkd = true

Chris_R_
Splunk Employee
Splunk Employee

Here's an example of a serverclass.conf with various hosts making connections and 2 different apps, a mail_server app and win_clients app. In this examples only hosts starting with the hostname of host_123 or host_456 will get the "win" app. While hosts starting with the hostname of mail will get the "mail" app.

[global]
whitelist.0=host_123*
whitelist.1=host_456*
whitelist.2=mail*
whitelist.3=host_abc*
whitelist.4=host_xyz*

[serverClass:win_clients]
whitelist.0=host_123*
whitelist.1=host_456*
blacklist.1=mail*
blacklist.2=host_abc*
blacklist.3=host_xyz*

[serverClass:win_clients:app:win]
stateOnClient=enabled
restartSplunkd = true

[serverClass:mail_servers]
whitelist.0=mail*
blacklist.0=host_123*
blacklist.1=host_456*
blacklist.2=host_abc*
blacklist.3=host_xyz*

[serverClass:mail_servers:app:mail]
stateOnClient=enabled
restartSplunkd = true

The apps directories by default will reside on the deployment server in $SPLUNK_HOME/deployment-apps, so any config files should be placed there to be deployed to clients. Once deployed on the clients they will reside on $SPLUNK_HOME/apps

Many more options can be found in http://www.splunk.com/base/Documentation/4.0.9/Admin/Definedeploymentclasses
and http://www.splunk.com/base/Documentation/4.0.9/Admin/Serverclassconf

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...