I want to know if there's an API to add a new server (app05) to serverClass:Legacy_App and it will auto generate the next whitelist.# number?
I don't want to specify whitelist.2=legacy305 in the api because I will have a lot of servers in Legacy_App, can't remember what the next whitelist number every time I try to add a new server.
[serverClass:Legacy_App]
whitelist.0=legacy105
whitelist.1=legacyapp205
whitelist.2=app305 want to be automatic ( no need to specify whitelist.2)
Unfortunately the lack of answer for this required me to work in the other direction.
I created an app that included a script to run against the inventory system's API to create a text file of the "active" assets. The serverclass is then setup through serverclass.conf to ingest that file for the list of active assets.
#serverclass.conf
[serverClass:illinois_urbana_smg_techsvc]
whitelist.from_pathname = etc/apps/illinois-urbana-splunkmgmt-deploymentserver-SMG-serverlist-APP/lookup/smg_active_server_list
It would be great if I could have figured out how to just add a single server to an existing server class without having to build something external.
Yes there is the endpoint
curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses -d name=sc_apps_ombra
https://docs.splunk.com/Documentation/Splunk/7.0.2/RESTREF/RESTdeploy#deployment.2Fserver.2Fclients
yes,
this curl -k -u admin:pass https://localhost:8089/services/deployment/server/serverclasses -d name=sc_apps_ombra is for creating serverclass.
there's a request parameter for whitelist* but i have to specify an ordinal number.
whitelist. String List of hosts to accept for this server class. For each whitelist, replace with an ordinal number to specify additional whitelists. Filter ordinals must start at 0 and be consecutive.
is there a way to add whitelist.* automatically with consecutive number?
That's what I want to know. I have read a few REST API posts on here and I still don't see an answer. Please post if you figured this out. Having ordinals in the serverclass may have made sense at one point but now with those of us wanting to automate this is a challenge.
This is an older post, but we just started using 5000+ Universal Forwarders so this is really relevant to us. After a few months we're really feeling the pain of manual whitelisting. After reading through the documentation and forum posts, here's what I found. You can specify a csv file, or a field in a csv file for the serverclass to read from.
Example: whitelist.from_pathname = clientLists/clientList1_whitelist.csv
https://docs.splunk.com/Documentation/Splunk/9.0.3/Admin/Serverclassconf
whitelist.from_pathname = <pathname> blacklist.from_pathname = <pathname> * As as alternative to a series of (whitelist|blacklist).<n>, the <clientName>, <IP address>, and <hostname> list can be imported from <pathname> that is either a plain text file or a comma-separated values (CSV) file. * May be used in conjunction with (whitelist|blacklist).select_field, (whitelist|blacklist).where_field, and (whitelist|blacklist).where_equals. * If used by itself, then <pathname> specifies a plain text file where one <clientName>, <IP address>, or <hostname> is given per line. * If used in conjunction with select_field, where_field, and where_equals, then <pathname> specifies a CSV file. * The <pathname> is relative to $SPLUNK_HOME. * May also be used in conjunction with (whitelist|blacklist).<n> to specify additional values, but there is no direct relation between them. * At most one from_pathname may be given per stanza.
There are a few other options with specifying fields in existing CSV's, so I'd recommend taking a look.