Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Simplifying serverclass.conf?

sowings
Splunk Employee
Splunk Employee
‎02-05-2013 09:06 AM

Let's say that I have a class in my serverclass.conf that contains a pretty substantial
white/blacklist. This is in an effort to narrow down the hosts receiving a particular set
of apps. Further, let's assume that there are, say, two distinct subsets of the larger
class, that get data center specific apps (e.g. one containing outputs.conf). The docs
for serverclass.conf say that I can include whitelist.N or blacklist.N at the app level
in addition to the class level.

When I provide a filtering statement at the app level, am I overriding the existing one
from the class level, and therefore renumbering the entries, or clearing them, such as
blacklist.4 = ? Or instead is this a completely separate filter and my
numbering would start again at 0?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎02-05-2013 02:40 PM

According to serverclass.conf.spec:

# Property inheritance
# Stanzas in serverclass.conf go from general to more specific, in the following order:
# [serverClass] -> [serverClass:<name>] -> [serverClass:<scname>:app:<appname>]
#
# Some properties defined at a general level (say [serverClass]) can be
# overridden by the more specific stanzas as it applies to them. All inheritable
# properties are marked as such.
(...)

filterType = whitelist | blacklist
(...)  
* Can be overridden at the serverClass level, and the serverClass:app level.

It seems that a filtering statement at the app level (most specific) will override a colliding statement at the class-level (least specific).

View solution in original post

Reply
Solved! Jump to solution
Solution

hexx
Splunk Employee
Splunk Employee
‎02-05-2013 02:40 PM

According to serverclass.conf.spec:

# Property inheritance
# Stanzas in serverclass.conf go from general to more specific, in the following order:
# [serverClass] -> [serverClass:<name>] -> [serverClass:<scname>:app:<appname>]
#
# Some properties defined at a general level (say [serverClass]) can be
# overridden by the more specific stanzas as it applies to them. All inheritable
# properties are marked as such.
(...)

filterType = whitelist | blacklist
(...)  
* Can be overridden at the serverClass level, and the serverClass:app level.

It seems that a filtering statement at the app level (most specific) will override a colliding statement at the class-level (least specific).

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎02-14-2013 10:28 AM

Thanks, I finally worked it out. There was one more key piece of documentation that I had missed before:

# Note: Overriding one type of filter (whitelist/blacklist) causes the other to
# the overridden too. It is important to note that if you are overriding the
# whitelist, the blacklist will not be inherited from the parent - you must
# provide one in the stanza.

My instance used filterType = blacklist but initially failed to carry forward the blacklist entries. When I added that in at app level, that worked.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...