Re: Help with monitor input blacklist

hank72 · ‎02-07-2023

Hi Community!

I'm hoping someone can set my head straight.

I have two app inputs. One that I push to all *NIX servers (Splunk_TA_nix), and one additional app that I want to push to one specific server, serverXX (Splunk_TA_nix_serverXX_inputs). For serverXX, I want it to have an additional blacklist entry to exclude all files named /var/log/syslog/XYZ.*

Splunk_TA_nix/local/inputs.conf (other stanzas exist but have been removed for this example)
[monitor:///var/log]
whitelist = kern*|syslog$
blacklist=(lastlog|cron|FILES.*$)
disabled = 0
index = nix
sourcetype = syslog

Splunk_TA_nix_serverXX_inputs/local/inputs.conf (the app just contains this stanza)
[monitor:///var/log]
whitelist = kern*|syslog$
blacklist=(lastlog|cron|FILES.*$|XYZ\.)
disabled = 0
index = nix
sourcetype = syslog

I tried this method of pushing the 2 apps to serverXX, and btool is showing that it's picking up the blacklist from the Splunk_TA_nix (not the one with the XYZ), so I guess I'm doing this all wrong! What should be the correct way to exclude XYZ files for only serverXX while deploying to all *NIX hosts?

PickleRick · ‎02-08-2023

Use the btool, Luke.

But seriously, you don't have two inputs. Your both stanzas are named the same so they are the same input. And while parsing the config Splunk just reads the settings sequentially and overwrittes earlier settings matching the same stanza parameters. See https://docs.splunk.com/Documentation/Splunk/9.0.3/Admin/Wheretofindtheconfigurationfiles

So you will have just one stanza referring to /var/log and only one blacklist/whitelist entry because the other one got overwritten according to the rules described in the linked document. The key here, since both configs are in APP/local directory, is the lexicographic order in which the entries are applied. So you can rename one of those apps to make it of "higher priority".

shivanshu1593 · ‎02-08-2023

Why not simplify by creating two serverclasses in the deployment server.

1. Create a serveclass, let's name it Splunk_TA_nix. You can add all the linux servers there to deploy the app Splunk_TA_nix and put the server serverXX in the blacklist so that this app doesn't reaches there.

2. Create another serverclass, let's call it Splunk_TA_nix_serverXX. You can put the other app Splunk_TA_nix_serverXX_inputs and put the server serverXX in its whitelist.

3. Then reload both the serverclasses using the command "$SPLUNK_HOME/bin/splunk reload deploy-server -class <serverclass_name>" and once all linux servers phone home, they will pick your desired apps from the deployment server and give you the result that you need.

++If this helps, please consider accepting as an answer++

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

gcusello · ‎02-07-2023

Hi @hank72,

the configuration seems to be ok, also because btto confirms this, but Splunk doesn't index twice a source, so I'm not sure that the second stanza is really used.

I hint to add the additional blacklist to the main nix add-on (in the local folder), also because, it's a blacklist and it shoudn't affect other systems.

Ciao.

Giuseppe

Help with monitor input blacklist

inputs.conf

universal forwarder

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor