Server Class Blacklisting Not working

ylucena · ‎03-02-2020

Hello all,

I am trying to blacklist some of the apps below. It doesn't matter what I do, the apps continue to get deployed to our QA search head. I had already checked whether these apps are being being deployed there via any other server class and they are not. According to the docs, the blacklists below should work, right? I tried different ways of blacklisting them with no success... I would greatly appreciate any help. Thank you.

    [serverClass:all_gensearch]
            filterType = whitelist
            whitelist.0 = spkprtsrch01*|spkqatsrch*
            restartSplunkd = false
            issueReload = true

    [serverClass:all_gensearch:app:SA-ldapsearch]
    [serverClass:all_gensearch:app:splunk_app_windows_infrastructure]
    [serverClass:all_gensearch:app:Splunk_TA_microsoft_ad]
    [serverClass:all_gensearch:app:Splunk_TA_microsoft_dns]
    [serverClass:all_gensearch:app:TA-maclookup]
    [serverClass:all_gensearch:app:TA-user-agents]
    [serverClass:all_gensearch:app:TA_cisco_cdr

    [serverClass:all_gensearch:app:Splunk_TA_nginx]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:SA-nix]
            restartSplunkd = false

    [serverClass:all_gensearch:app:splunk_app_jenkins]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:NetSkopeAppForSplunk]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:TA-Zscaler_CIM]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:duo_splunkapp]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:zscalersplunkapp]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:TA-Zscaler_CIM]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:GSuiteForSplunk]
            blacklist.0 = spkqatsrch*

nickhills · ‎03-02-2020

You don't blacklist apps, you blacklists hosts from serverclasses.
But in your case, you shouldn't need to - a whitelist will do the job.

For each configuration of applications, you should create a server class.
Black/Whitelists are applied to the serverclass, not the applications within it.

In the answer below, I have created two server classes - one for your gensearch (which I guess is Prod), and one for QAsearch
Then each server class has a different collections of applications.

so:

[serverClass:all_gensearch]
             filterType = whitelist
             whitelist.0 = spkprtsrch01
             restartSplunkd = false
             issueReload = true

[serverClass:all_QAsearch]
             filterType = whitelist
             whitelist.0 = spkqatsrch*
             restartSplunkd = false
             issueReload = true

     [serverClass:all_gensearch:app:SA-ldapsearch]
     [serverClass:all_gensearch:app:splunk_app_windows_infrastructure]
     [serverClass:all_gensearch:app:Splunk_TA_microsoft_ad]
     [serverClass:all_gensearch:app:Splunk_TA_microsoft_dns]
     [serverClass:all_gensearch:app:TA-maclookup]
     [serverClass:all_gensearch:app:TA-user-agents]
     [serverClass:all_gensearch:app:TA_cisco_cdr
     [serverClass:all_gensearch:app:Splunk_TA_nginx]
     [serverClass:all_gensearch:app:SA-nix]
     [serverClass:all_gensearch:app:splunk_app_jenkins]
     [serverClass:all_gensearch:app:NetSkopeAppForSplunk]
     [serverClass:all_gensearch:app:TA-Zscaler_CIM]
     [serverClass:all_gensearch:app:duo_splunkapp]
     [serverClass:all_gensearch:app:zscalersplunkapp]
     [serverClass:all_gensearch:app:TA-Zscaler_CIM] 
     [serverClass:all_gensearch:app:GSuiteForSplunk]

     [serverClass:all_QAsearch:app:SA-ldapsearch]
     [serverClass:all_QAsearch:app:splunk_app_windows_infrastructure]
     [serverClass:all_QAsearch:app:Splunk_TA_microsoft_ad]
     [serverClass:all_QAsearch:app:Splunk_TA_microsoft_dns]
     [serverClass:all_QAsearch:app:TA-maclookup]
     [serverClass:all_QAsearch:app:TA-user-agents]
     [serverClass:all_QAsearch:app:TA_cisco_cdr

Should do what you want.

If my comment helps, please give it a thumbs up!

Server Class Blacklisting Not working

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Server Class Blacklisting Not working

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers