New to this, but getting on ok. I'm just a little confused about new client PCs or Servers being added to a server class.
What we have done so far...
All running on MS server 2008 r2 or Windows 7
'Splunk Enterprise server' v6.2.2 build and set to receive, server class setup with clients added, reporting as expected from the initially added clients.
'Splunk Universal Forwarder' v6.2.4 installed and reporting as mentioned above, we are filtering the events successfully (not relevant but want to give a full picture).
My question is, when we first set up a 'server class', we were able to add all the found clients. This worked all ok. We are rolling out the 'Universal Forwarder' with SCCM and now have more clients that are being seen by the 'Splunk Enterprise Server'. When you go into 'Forwarder manager', Server Classes tab, we select our server class that we created by the name displayed. In there, you see you see the clients. If we right click on the edit button/edit clients, we can see clients that are not members (e.g. not ticked) of the server class, but there seems to be no way of adding these clients.
Can you add clients? if so how?
Many thanks for reading and you help
When you are in the Edit Clients screen, you need to use the whitelist box to include the new hosts. Either add their IP addreses, client names, host names, or DNS names (comma-delimited, or use wildcards). Then, click the "Preview" button. You should see those clients become checked. Then, you can click Save and it'll add those clients to your server class.
I also found in 6.2.2 when you edit the whitelist, the old entry disappears.
I have been keeping a list of the entries and then when it needs to be changed, I add to my list and then just copy/paste
I also really like the Filter by Machine type if you are looking for all window servers.
If you have a good cross section of OSes phoning home.
Just do "*" in the white list and select the OS types you want to include
This also works for Linux
Thanks for reading the question and you help...
we had tried to add to the white list but when you type in a name it looses all the other clients!
followed one of the links (thanks) and we are now using a wild card in the whitelist *
You can type multiple names (or patterns) separated by commas.
Should put checks next to the appropriate hosts, as in the sample list below: