Deployment Architecture

Question about filters for deployment server (4.1.4)

Path Finder

Lets say I have this simple serverClasses:

[global]
whitelist.0 = *

[serverClass:Windows]
machineTypes = windows-intel

[serverClass:Windows:app:some-app]
whitelist.0 = *
stateOnClient = enabled
restartSplunkd = true

Will the whitelist in "some-app" enable the app for linux servers (and all other servers)? Even though I set machineTypes to windows-intel in the serverClass? Or will only windows servers be "handed down" to the app stanza and the filtered through the white/blacklists?

Can I use whitelist, blacklist and machineTypes in one and the same stanza?

1 Solution

Splunk Employee
Splunk Employee

It doesn't work the way you'd think. machineTypes are only applied if a machine is blacklisted (or not whitelisted).

In your above file, some-app will be sent to all machines, as whitelist.0 = * is inherited from [global]. (machineTypes = windows-intel is inherited in the app:some-app stanza from the server:Windows stanza, but is never checked because of the whitelist.

I usually set blacklist.0 = * in the global stanza just so that machineTypes settings work a little better.

View solution in original post

Splunk Employee
Splunk Employee

It doesn't work the way you'd think. machineTypes are only applied if a machine is blacklisted (or not whitelisted).

In your above file, some-app will be sent to all machines, as whitelist.0 = * is inherited from [global]. (machineTypes = windows-intel is inherited in the app:some-app stanza from the server:Windows stanza, but is never checked because of the whitelist.

I usually set blacklist.0 = * in the global stanza just so that machineTypes settings work a little better.

View solution in original post

Path Finder

I ended up skipping all lists in [global] and just do my config in the serverClass stanzas (and :app:xxx). It finally worked.

Still, I would like to have my previous question confirmed or not:

"So, in my config above, if I don't put the global whitelist, the whitelist in some-app would "overrun" the inherited machineTypes from the Windows class, and linux servers would be a match for the app?"

Put another way, will a whitelist.0 = * in a :app:xxx stanza overrun a parent serverclass machineTypes filter, or will '*' only apply to the supplied machineTypes servers?

0 Karma

Path Finder

Yepp, thats where I found it 🙂

0 Karma

Splunk Employee
Splunk Employee

if you run a ./splunk list deploy-clients from the deployment server, it will list out the machines that have connected and their self-identified utsname/machineTypes

0 Karma

Path Finder

One important thing I noticed is that my Windows x64 servers sends an utsname=windows-x64 to splunk, and not windows-intel as I thought.

0 Karma

Path Finder

So, in my config above, if I don't put the global whitelist, the whitelist in some-app would "overrun" the inherited machineTypes from the Windows class, and linux servers would be a match for the app?

0 Karma

Motivator

I was not aware of that. Especially when looking at the docs, where the example for machineTypes uses a whitelist. (http://www.splunk.com/base/Documentation/latest/Admin/Definedeploymentclasses) Should the docs team be alerted that this article needs revision?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!