Getting Data In

Server Class Blacklisting Not working

ylucena
Explorer

Hello all,

I am trying to blacklist some of the apps below. It doesn't matter what I do, the apps continue to get deployed to our QA search head. I had already checked whether these apps are being being deployed there via any other server class and they are not. According to the docs, the blacklists below should work, right? I tried different ways of blacklisting them with no success... I would greatly appreciate any help. Thank you.

    [serverClass:all_gensearch]
            filterType = whitelist
            whitelist.0 = spkprtsrch01*|spkqatsrch*
            restartSplunkd = false
            issueReload = true

    [serverClass:all_gensearch:app:SA-ldapsearch]
    [serverClass:all_gensearch:app:splunk_app_windows_infrastructure]
    [serverClass:all_gensearch:app:Splunk_TA_microsoft_ad]
    [serverClass:all_gensearch:app:Splunk_TA_microsoft_dns]
    [serverClass:all_gensearch:app:TA-maclookup]
    [serverClass:all_gensearch:app:TA-user-agents]
    [serverClass:all_gensearch:app:TA_cisco_cdr

    [serverClass:all_gensearch:app:Splunk_TA_nginx]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:SA-nix]
            restartSplunkd = false

    [serverClass:all_gensearch:app:splunk_app_jenkins]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:NetSkopeAppForSplunk]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:TA-Zscaler_CIM]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:duo_splunkapp]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:zscalersplunkapp]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:TA-Zscaler_CIM]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:GSuiteForSplunk]
            blacklist.0 = spkqatsrch*
0 Karma

nickhills
Ultra Champion

You don't blacklist apps, you blacklists hosts from serverclasses.
But in your case, you shouldn't need to - a whitelist will do the job.

For each configuration of applications, you should create a server class.
Black/Whitelists are applied to the serverclass, not the applications within it.

In the answer below, I have created two server classes - one for your gensearch (which I guess is Prod), and one for QAsearch
Then each server class has a different collections of applications.

so:

[serverClass:all_gensearch]
             filterType = whitelist
             whitelist.0 = spkprtsrch01
             restartSplunkd = false
             issueReload = true

[serverClass:all_QAsearch]
             filterType = whitelist
             whitelist.0 = spkqatsrch*
             restartSplunkd = false
             issueReload = true

     [serverClass:all_gensearch:app:SA-ldapsearch]
     [serverClass:all_gensearch:app:splunk_app_windows_infrastructure]
     [serverClass:all_gensearch:app:Splunk_TA_microsoft_ad]
     [serverClass:all_gensearch:app:Splunk_TA_microsoft_dns]
     [serverClass:all_gensearch:app:TA-maclookup]
     [serverClass:all_gensearch:app:TA-user-agents]
     [serverClass:all_gensearch:app:TA_cisco_cdr
     [serverClass:all_gensearch:app:Splunk_TA_nginx]
     [serverClass:all_gensearch:app:SA-nix]
     [serverClass:all_gensearch:app:splunk_app_jenkins]
     [serverClass:all_gensearch:app:NetSkopeAppForSplunk]
     [serverClass:all_gensearch:app:TA-Zscaler_CIM]
     [serverClass:all_gensearch:app:duo_splunkapp]
     [serverClass:all_gensearch:app:zscalersplunkapp]
     [serverClass:all_gensearch:app:TA-Zscaler_CIM] 
     [serverClass:all_gensearch:app:GSuiteForSplunk]

     [serverClass:all_QAsearch:app:SA-ldapsearch]
     [serverClass:all_QAsearch:app:splunk_app_windows_infrastructure]
     [serverClass:all_QAsearch:app:Splunk_TA_microsoft_ad]
     [serverClass:all_QAsearch:app:Splunk_TA_microsoft_dns]
     [serverClass:all_QAsearch:app:TA-maclookup]
     [serverClass:all_QAsearch:app:TA-user-agents]
     [serverClass:all_QAsearch:app:TA_cisco_cdr

Should do what you want.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...