Hello everyone. I am managing Windows and Mac devices via the Splunk DMC. Because of an error I made in the Splunk Server Class whitelist policy, some of the Mac devices received the Windows Apps to forward logs to a Windows index. I have corrected the whitelist IP policy, but what's the best way to remove the Mac device from the wrong server classes since it's still showing up?
Do I just want to just log into the Mac devices and delete the wrong Apps?
Once you correct the entry in serverclass,conf the Mac device should no longer be in the wrong server class.
However, once added to the correct serverclass, it will not attempt to update any apps on the Mac device that are not defined in the Mac's current serverclass.
For example, if you defined serverClass A to get App SampleApp, and the Mac was accidently part of ServerClass A it recived SampleApp from the deployment server.
You then removed the Mac from serverClass A, and put it in serverClass B. Since serverClass B is not aware of SampleApp...it will not attempt to add/remove or modify the app from the Mac when they connect as serveClass B for the first time.
What you could do, is define SampleApp for serverclass B which you use for the Macs. reload deployment server. Then remove SampleApp from serverClass B and reload the deployment server. The deployment server should remove SampleApp from the systems that fall under serverClassB
Thank you! I realized that after making the corrections, I just needed to restart the Splunk service for the deployment server and everything updated. I'm no longer seeing Mac devices in Windows server classes.
You don't need to restart the service, you can simply reload the deployment server:
That will cause the deployment server to reload, accepting any configuration changes.