Deployment Architecture

Question about filters for deployment server (4.1.4)

Joffer
Path Finder

Lets say I have this simple serverClasses:

[global]
whitelist.0 = *

[serverClass:Windows]
machineTypes = windows-intel

[serverClass:Windows:app:some-app]
whitelist.0 = *
stateOnClient = enabled
restartSplunkd = true

Will the whitelist in "some-app" enable the app for linux servers (and all other servers)? Even though I set machineTypes to windows-intel in the serverClass? Or will only windows servers be "handed down" to the app stanza and the filtered through the white/blacklists?

Can I use whitelist, blacklist and machineTypes in one and the same stanza?

1 Solution

gkanapathy
Splunk Employee
Splunk Employee

It doesn't work the way you'd think. machineTypes are only applied if a machine is blacklisted (or not whitelisted).

In your above file, some-app will be sent to all machines, as whitelist.0 = * is inherited from [global]. (machineTypes = windows-intel is inherited in the app:some-app stanza from the server:Windows stanza, but is never checked because of the whitelist.

I usually set blacklist.0 = * in the global stanza just so that machineTypes settings work a little better.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

It doesn't work the way you'd think. machineTypes are only applied if a machine is blacklisted (or not whitelisted).

In your above file, some-app will be sent to all machines, as whitelist.0 = * is inherited from [global]. (machineTypes = windows-intel is inherited in the app:some-app stanza from the server:Windows stanza, but is never checked because of the whitelist.

I usually set blacklist.0 = * in the global stanza just so that machineTypes settings work a little better.

Joffer
Path Finder

I ended up skipping all lists in [global] and just do my config in the serverClass stanzas (and :app:xxx). It finally worked.

Still, I would like to have my previous question confirmed or not:

"So, in my config above, if I don't put the global whitelist, the whitelist in some-app would "overrun" the inherited machineTypes from the Windows class, and linux servers would be a match for the app?"

Put another way, will a whitelist.0 = * in a :app:xxx stanza overrun a parent serverclass machineTypes filter, or will '*' only apply to the supplied machineTypes servers?

0 Karma

Joffer
Path Finder

Yepp, thats where I found it 🙂

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

if you run a ./splunk list deploy-clients from the deployment server, it will list out the machines that have connected and their self-identified utsname/machineTypes

0 Karma

Joffer
Path Finder

One important thing I noticed is that my Windows x64 servers sends an utsname=windows-x64 to splunk, and not windows-intel as I thought.

0 Karma

Joffer
Path Finder

So, in my config above, if I don't put the global whitelist, the whitelist in some-app would "overrun" the inherited machineTypes from the Windows class, and linux servers would be a match for the app?

0 Karma

ftk
Motivator

I was not aware of that. Especially when looking at the docs, where the example for machineTypes uses a whitelist. (http://www.splunk.com/base/Documentation/latest/Admin/Definedeploymentclasses) Should the docs team be alerted that this article needs revision?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...