Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Serverclass using machineTypes that excludes one server

imacdonald2
Path Finder
‎01-04-2012 11:16 AM

I would like to have a serverclass for all linux machines that excludes one machine.

I have tried the following but it doesn't appear to work, the app fwd_to_splunk still gets deployed to the server.

Any suggestions.

[global]

blacklist.0=*

[serverClass:alllinux]

machineTypes=linux-*

blacklist.0=host1

[serverClass:alllinux:app:fwd_to_splunk]

stateOnClient=enabled

restartSplunkd=true

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2012 12:37 PM

Unfortunately, you can't do this. The logic of machineTypes is such that every machine that is blacklisted (or not whitelisted) is checked for the machineType, and then is sent that serverclass/app. (The logic is "matching names OR matching machineTypes", instead of your desired "matching names AND matching machineTypes") This functionality is not useful behavior, and is basically a design flaw.

I expect there to be a change in the 4.3 release of Splunk due very imminently to provide the functionality you're looking for. (And which is useful to most people.)

View solution in original post

Reply
Solved! Jump to solution

gavin1_davenpor
Path Finder
‎08-01-2012 02:34 AM

Quote: "I expect there to be a change in the 4.3 release of Splunk due very imminently to provide the functionality you're looking for. (And which is useful to most people.)"

I'd like to be able to include all my hosts by machineType but then EXCLUDE a static list of hosts by name - i.e. to be able to use 2 serverclass definitions for the same app.
Define serverclass A based on machineType
Define serverclass B based on hostname/IP
Whitelist by machineType serverclass A
then Blacklist by hostname serverclass B

Did this get incorporated in 4.3.* ?

0 Karma
Reply
Solved! Jump to solution

gavin1_davenpor
Path Finder
‎08-01-2012 08:20 AM

So I can do:
[serverClass:mynewapp]
machineTypesFilter=linux-x86_64
blacklist.0=dont_push_new_app_to_me1.fqdn
blacklist.1=dont_push_new_app_to_me2.fqdn

This would push "mynewapp" to all x86_64 linux hosts EXCEPT the 2 blacklisted ?

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-01-2012 08:15 AM

You are also misunderstanding how serverclasses and filters should work. the functionality in 4.3 has nothing to do with working across different serverclasses, only on rules within a serverclass (or app).

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-01-2012 08:13 AM

see machineTypeFilter setting and compare with machineTypes setting

0 Karma
Reply
Solved! Jump to solution

gavin1_davenpor
Path Finder
‎08-01-2012 08:11 AM

That didn't answer my question.
I would like to be able to - for a given serverclass -
whitelist based on machineTypesFilter and ALSO blacklist based on hostname.

Your comment from 04/01 suggested you expected this change to be incorporated in the 4.3 version. Did it get incorporated ?

My solution has been to have apps I consider 'stable' to be covered by machineTypesFilter, and apps I consider in development to be covered by whitelists.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-01-2012 07:44 AM

see machineTypesFilter setting.

0 Karma
Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2012 12:37 PM

Unfortunately, you can't do this. The logic of machineTypes is such that every machine that is blacklisted (or not whitelisted) is checked for the machineType, and then is sent that serverclass/app. (The logic is "matching names OR matching machineTypes", instead of your desired "matching names AND matching machineTypes") This functionality is not useful behavior, and is basically a design flaw.

I expect there to be a change in the 4.3 release of Splunk due very imminently to provide the functionality you're looking for. (And which is useful to most people.)

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2012 04:38 PM

yes, if it's going to all machines (even if they're not linux), then you can just drop the machineTypes clause, and use white/black lists only.

0 Karma
Reply
Solved! Jump to solution

imacdonald2
Path Finder
‎01-04-2012 02:36 PM

so it sounds like I can't do this using machineTypes, any thoughts on an other way I can do this? I guess I could do a whitelist.0=0 then blacklist.0=host1, and apply it to all machines. Since the forwarder config is the same for windows and linux

0 Karma
Reply
Solved! Jump to solution

Kate_Lawrence-G
Contributor
‎01-04-2012 12:23 PM

I'd try something like this:

[global]
[serverClass:AppsByMachineType]
whitelist.0 = *

[serverClass:AppsByMachineType:app:linux-base]
# Deploy this app only to unix boxes - 32/64 bit.
machineTypes = linux-i686, linux-x86_64
restartSplunkd = true
stateOnClient = enabled
blacklist.0 = host1
0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-04-2012 01:40 PM

As I said in my other answer.

Reply
Solved! Jump to solution

imacdonald2
Path Finder
‎01-04-2012 01:12 PM

I tried this and it didn't work it still goes out to host1. Do you have this working?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...