Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Serverclass using machineTypes that excludes one server

imacdonald2
Path Finder
‎01-04-2012 11:16 AM

I would like to have a serverclass for all linux machines that excludes one machine.

I have tried the following but it doesn't appear to work, the app fwd_to_splunk still gets deployed to the server.

Any suggestions.

[global]

blacklist.0=*

[serverClass:alllinux]

machineTypes=linux-*

blacklist.0=host1

[serverClass:alllinux:app:fwd_to_splunk]

stateOnClient=enabled

restartSplunkd=true

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2012 12:37 PM

Unfortunately, you can't do this. The logic of machineTypes is such that every machine that is blacklisted (or not whitelisted) is checked for the machineType, and then is sent that serverclass/app. (The logic is "matching names OR matching machineTypes", instead of your desired "matching names AND matching machineTypes") This functionality is not useful behavior, and is basically a design flaw.

I expect there to be a change in the 4.3 release of Splunk due very imminently to provide the functionality you're looking for. (And which is useful to most people.)

View solution in original post

Reply
Solved! Jump to solution

gavin1_davenpor
Path Finder
‎08-01-2012 02:34 AM

Quote: "I expect there to be a change in the 4.3 release of Splunk due very imminently to provide the functionality you're looking for. (And which is useful to most people.)"

I'd like to be able to include all my hosts by machineType but then EXCLUDE a static list of hosts by name - i.e. to be able to use 2 serverclass definitions for the same app.
Define serverclass A based on machineType
Define serverclass B based on hostname/IP
Whitelist by machineType serverclass A
then Blacklist by hostname serverclass B

Did this get incorporated in 4.3.* ?

0 Karma
Reply
Solved! Jump to solution

gavin1_davenpor
Path Finder
‎08-01-2012 08:20 AM

So I can do:
[serverClass:mynewapp]
machineTypesFilter=linux-x86_64
blacklist.0=dont_push_new_app_to_me1.fqdn
blacklist.1=dont_push_new_app_to_me2.fqdn

This would push "mynewapp" to all x86_64 linux hosts EXCEPT the 2 blacklisted ?

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-01-2012 08:15 AM

You are also misunderstanding how serverclasses and filters should work. the functionality in 4.3 has nothing to do with working across different serverclasses, only on rules within a serverclass (or app).

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-01-2012 08:13 AM

see machineTypeFilter setting and compare with machineTypes setting

0 Karma
Reply
Solved! Jump to solution

gavin1_davenpor
Path Finder
‎08-01-2012 08:11 AM

That didn't answer my question.
I would like to be able to - for a given serverclass -
whitelist based on machineTypesFilter and ALSO blacklist based on hostname.

Your comment from 04/01 suggested you expected this change to be incorporated in the 4.3 version. Did it get incorporated ?

My solution has been to have apps I consider 'stable' to be covered by machineTypesFilter, and apps I consider in development to be covered by whitelists.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-01-2012 07:44 AM

see machineTypesFilter setting.

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2012 12:37 PM

Unfortunately, you can't do this. The logic of machineTypes is such that every machine that is blacklisted (or not whitelisted) is checked for the machineType, and then is sent that serverclass/app. (The logic is "matching names OR matching machineTypes", instead of your desired "matching names AND matching machineTypes") This functionality is not useful behavior, and is basically a design flaw.

I expect there to be a change in the 4.3 release of Splunk due very imminently to provide the functionality you're looking for. (And which is useful to most people.)

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2012 04:38 PM

yes, if it's going to all machines (even if they're not linux), then you can just drop the machineTypes clause, and use white/black lists only.

0 Karma
Reply
Solved! Jump to solution

imacdonald2
Path Finder
‎01-04-2012 02:36 PM

so it sounds like I can't do this using machineTypes, any thoughts on an other way I can do this? I guess I could do a whitelist.0=0 then blacklist.0=host1, and apply it to all machines. Since the forwarder config is the same for windows and linux

0 Karma
Reply
Solved! Jump to solution

Kate_Lawrence-G
Contributor
‎01-04-2012 12:23 PM

I'd try something like this:

[global]
[serverClass:AppsByMachineType]
whitelist.0 = *

[serverClass:AppsByMachineType:app:linux-base]
# Deploy this app only to unix boxes - 32/64 bit.
machineTypes = linux-i686, linux-x86_64
restartSplunkd = true
stateOnClient = enabled
blacklist.0 = host1
0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2012 01:40 PM

As I said in my other answer.

Reply
Solved! Jump to solution

imacdonald2
Path Finder
‎01-04-2012 01:12 PM

I tried this and it didn't work it still goes out to host1. Do you have this working?

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...