Getting Data In

Server Class Blacklisting Not working

ylucena
Explorer

Hello all,

I am trying to blacklist some of the apps below. It doesn't matter what I do, the apps continue to get deployed to our QA search head. I had already checked whether these apps are being being deployed there via any other server class and they are not. According to the docs, the blacklists below should work, right? I tried different ways of blacklisting them with no success... I would greatly appreciate any help. Thank you.

    [serverClass:all_gensearch]
            filterType = whitelist
            whitelist.0 = spkprtsrch01*|spkqatsrch*
            restartSplunkd = false
            issueReload = true

    [serverClass:all_gensearch:app:SA-ldapsearch]
    [serverClass:all_gensearch:app:splunk_app_windows_infrastructure]
    [serverClass:all_gensearch:app:Splunk_TA_microsoft_ad]
    [serverClass:all_gensearch:app:Splunk_TA_microsoft_dns]
    [serverClass:all_gensearch:app:TA-maclookup]
    [serverClass:all_gensearch:app:TA-user-agents]
    [serverClass:all_gensearch:app:TA_cisco_cdr

    [serverClass:all_gensearch:app:Splunk_TA_nginx]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:SA-nix]
            restartSplunkd = false

    [serverClass:all_gensearch:app:splunk_app_jenkins]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:NetSkopeAppForSplunk]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:TA-Zscaler_CIM]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:duo_splunkapp]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:zscalersplunkapp]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:TA-Zscaler_CIM]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:GSuiteForSplunk]
            blacklist.0 = spkqatsrch*
0 Karma

nickhills
Ultra Champion

You don't blacklist apps, you blacklists hosts from serverclasses.
But in your case, you shouldn't need to - a whitelist will do the job.

For each configuration of applications, you should create a server class.
Black/Whitelists are applied to the serverclass, not the applications within it.

In the answer below, I have created two server classes - one for your gensearch (which I guess is Prod), and one for QAsearch
Then each server class has a different collections of applications.

so:

[serverClass:all_gensearch]
             filterType = whitelist
             whitelist.0 = spkprtsrch01
             restartSplunkd = false
             issueReload = true

[serverClass:all_QAsearch]
             filterType = whitelist
             whitelist.0 = spkqatsrch*
             restartSplunkd = false
             issueReload = true

     [serverClass:all_gensearch:app:SA-ldapsearch]
     [serverClass:all_gensearch:app:splunk_app_windows_infrastructure]
     [serverClass:all_gensearch:app:Splunk_TA_microsoft_ad]
     [serverClass:all_gensearch:app:Splunk_TA_microsoft_dns]
     [serverClass:all_gensearch:app:TA-maclookup]
     [serverClass:all_gensearch:app:TA-user-agents]
     [serverClass:all_gensearch:app:TA_cisco_cdr
     [serverClass:all_gensearch:app:Splunk_TA_nginx]
     [serverClass:all_gensearch:app:SA-nix]
     [serverClass:all_gensearch:app:splunk_app_jenkins]
     [serverClass:all_gensearch:app:NetSkopeAppForSplunk]
     [serverClass:all_gensearch:app:TA-Zscaler_CIM]
     [serverClass:all_gensearch:app:duo_splunkapp]
     [serverClass:all_gensearch:app:zscalersplunkapp]
     [serverClass:all_gensearch:app:TA-Zscaler_CIM] 
     [serverClass:all_gensearch:app:GSuiteForSplunk]

     [serverClass:all_QAsearch:app:SA-ldapsearch]
     [serverClass:all_QAsearch:app:splunk_app_windows_infrastructure]
     [serverClass:all_QAsearch:app:Splunk_TA_microsoft_ad]
     [serverClass:all_QAsearch:app:Splunk_TA_microsoft_dns]
     [serverClass:all_QAsearch:app:TA-maclookup]
     [serverClass:all_QAsearch:app:TA-user-agents]
     [serverClass:all_QAsearch:app:TA_cisco_cdr

Should do what you want.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...