Deployment Architecture

Serverclass using machineTypes that excludes one server

Path Finder

I would like to have a serverclass for all linux machines that excludes one machine.

I have tried the following but it doesn't appear to work, the app fwdtosplunk still gets deployed to the server.

Any suggestions.

[global]

blacklist.0=*

[serverClass:alllinux]

machineTypes=linux-*

blacklist.0=host1

[serverClass:alllinux:app:fwdtosplunk]

stateOnClient=enabled

restartSplunkd=true

1 Solution

Splunk Employee
Splunk Employee

Unfortunately, you can't do this. The logic of machineTypes is such that every machine that is blacklisted (or not whitelisted) is checked for the machineType, and then is sent that serverclass/app. (The logic is "matching names OR matching machineTypes", instead of your desired "matching names AND matching machineTypes") This functionality is not useful behavior, and is basically a design flaw.

I expect there to be a change in the 4.3 release of Splunk due very imminently to provide the functionality you're looking for. (And which is useful to most people.)

View solution in original post

Path Finder

Quote: "I expect there to be a change in the 4.3 release of Splunk due very imminently to provide the functionality you're looking for. (And which is useful to most people.)"

I'd like to be able to include all my hosts by machineType but then EXCLUDE a static list of hosts by name - i.e. to be able to use 2 serverclass definitions for the same app.
Define serverclass A based on machineType
Define serverclass B based on hostname/IP
Whitelist by machineType serverclass A
then Blacklist by hostname serverclass B

Did this get incorporated in 4.3.* ?

0 Karma

Path Finder

So I can do:
[serverClass:mynewapp]
machineTypesFilter=linux-x8664
blacklist.0=dont
pushnewapptome1.fqdn
blacklist.1=dontpushnewappto_me2.fqdn

This would push "mynewapp" to all x86_64 linux hosts EXCEPT the 2 blacklisted ?

0 Karma

Splunk Employee
Splunk Employee

You are also misunderstanding how serverclasses and filters should work. the functionality in 4.3 has nothing to do with working across different serverclasses, only on rules within a serverclass (or app).

0 Karma

Splunk Employee
Splunk Employee

see machineTypeFilter setting and compare with machineTypes setting

0 Karma

Path Finder

That didn't answer my question.
I would like to be able to - for a given serverclass -
whitelist based on machineTypesFilter and ALSO blacklist based on hostname.

Your comment from 04/01 suggested you expected this change to be incorporated in the 4.3 version. Did it get incorporated ?

My solution has been to have apps I consider 'stable' to be covered by machineTypesFilter, and apps I consider in development to be covered by whitelists.

0 Karma

Splunk Employee
Splunk Employee

see machineTypesFilter setting.

0 Karma

Splunk Employee
Splunk Employee

Unfortunately, you can't do this. The logic of machineTypes is such that every machine that is blacklisted (or not whitelisted) is checked for the machineType, and then is sent that serverclass/app. (The logic is "matching names OR matching machineTypes", instead of your desired "matching names AND matching machineTypes") This functionality is not useful behavior, and is basically a design flaw.

I expect there to be a change in the 4.3 release of Splunk due very imminently to provide the functionality you're looking for. (And which is useful to most people.)

View solution in original post

Splunk Employee
Splunk Employee

yes, if it's going to all machines (even if they're not linux), then you can just drop the machineTypes clause, and use white/black lists only.

0 Karma

Path Finder

so it sounds like I can't do this using machineTypes, any thoughts on an other way I can do this? I guess I could do a whitelist.0=0 then blacklist.0=host1, and apply it to all machines. Since the forwarder config is the same for windows and linux

0 Karma

Contributor

I'd try something like this:

[global]
[serverClass:AppsByMachineType]
whitelist.0 = *

[serverClass:AppsByMachineType:app:linux-base]
# Deploy this app only to unix boxes - 32/64 bit.
machineTypes = linux-i686, linux-x86_64
restartSplunkd = true
stateOnClient = enabled
blacklist.0 = host1
0 Karma

Splunk Employee
Splunk Employee

As I said in my other answer.

Path Finder

I tried this and it didn't work it still goes out to host1. Do you have this working?

0 Karma