Solved: Re: Question about filters for deployment server (...

Joffer · ‎08-13-2010

Lets say I have this simple serverClasses:

[global]
whitelist.0 = *

[serverClass:Windows]
machineTypes = windows-intel

[serverClass:Windows:app:some-app]
whitelist.0 = *
stateOnClient = enabled
restartSplunkd = true

Will the whitelist in "some-app" enable the app for linux servers (and all other servers)? Even though I set machineTypes to windows-intel in the serverClass? Or will only windows servers be "handed down" to the app stanza and the filtered through the white/blacklists?

Can I use whitelist, blacklist and machineTypes in one and the same stanza?

gkanapathy · ‎08-16-2010

It doesn't work the way you'd think. machineTypes are only applied if a machine is blacklisted (or not whitelisted).

In your above file, some-app will be sent to all machines, as whitelist.0 = * is inherited from [global]. (machineTypes = windows-intel is inherited in the app:some-app stanza from the server:Windows stanza, but is never checked because of the whitelist.

I usually set blacklist.0 = * in the global stanza just so that machineTypes settings work a little better.

View solution in original post

gkanapathy · ‎08-16-2010

It doesn't work the way you'd think. machineTypes are only applied if a machine is blacklisted (or not whitelisted).

In your above file, some-app will be sent to all machines, as whitelist.0 = * is inherited from [global]. (machineTypes = windows-intel is inherited in the app:some-app stanza from the server:Windows stanza, but is never checked because of the whitelist.

I usually set blacklist.0 = * in the global stanza just so that machineTypes settings work a little better.

Joffer · ‎08-17-2010

I ended up skipping all lists in [global] and just do my config in the serverClass stanzas (and :app:xxx). It finally worked.

Still, I would like to have my previous question confirmed or not:

"So, in my config above, if I don't put the global whitelist, the whitelist in some-app would "overrun" the inherited machineTypes from the Windows class, and linux servers would be a match for the app?"

Put another way, will a whitelist.0 = * in a :app:xxx stanza overrun a parent serverclass machineTypes filter, or will '*' only apply to the supplied machineTypes servers?

Joffer · ‎08-17-2010

Yepp, thats where I found it 🙂

gkanapathy · ‎08-16-2010

if you run a ./splunk list deploy-clients from the deployment server, it will list out the machines that have connected and their self-identified utsname/machineTypes

Joffer · ‎08-16-2010

One important thing I noticed is that my Windows x64 servers sends an utsname=windows-x64 to splunk, and not windows-intel as I thought.

Joffer · ‎08-16-2010

So, in my config above, if I don't put the global whitelist, the whitelist in some-app would "overrun" the inherited machineTypes from the Windows class, and linux servers would be a match for the app?

ftk · ‎08-16-2010

I was not aware of that. Especially when looking at the docs, where the example for machineTypes uses a whitelist. (http://www.splunk.com/base/Documentation/latest/Admin/Definedeploymentclasses) Should the docs team be alerted that this article needs revision?

Question about filters for deployment server (4.1.4)

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024