Getting Data In

Server Class Blacklisting Not working

ylucena
Explorer

Hello all,

I am trying to blacklist some of the apps below. It doesn't matter what I do, the apps continue to get deployed to our QA search head. I had already checked whether these apps are being being deployed there via any other server class and they are not. According to the docs, the blacklists below should work, right? I tried different ways of blacklisting them with no success... I would greatly appreciate any help. Thank you.

    [serverClass:all_gensearch]
            filterType = whitelist
            whitelist.0 = spkprtsrch01*|spkqatsrch*
            restartSplunkd = false
            issueReload = true

    [serverClass:all_gensearch:app:SA-ldapsearch]
    [serverClass:all_gensearch:app:splunk_app_windows_infrastructure]
    [serverClass:all_gensearch:app:Splunk_TA_microsoft_ad]
    [serverClass:all_gensearch:app:Splunk_TA_microsoft_dns]
    [serverClass:all_gensearch:app:TA-maclookup]
    [serverClass:all_gensearch:app:TA-user-agents]
    [serverClass:all_gensearch:app:TA_cisco_cdr

    [serverClass:all_gensearch:app:Splunk_TA_nginx]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:SA-nix]
            restartSplunkd = false

    [serverClass:all_gensearch:app:splunk_app_jenkins]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:NetSkopeAppForSplunk]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:TA-Zscaler_CIM]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:duo_splunkapp]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:zscalersplunkapp]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:TA-Zscaler_CIM]
            blacklist.0 = spkqatsrch*

    [serverClass:all_gensearch:app:GSuiteForSplunk]
            blacklist.0 = spkqatsrch*
0 Karma

nickhills
Ultra Champion

You don't blacklist apps, you blacklists hosts from serverclasses.
But in your case, you shouldn't need to - a whitelist will do the job.

For each configuration of applications, you should create a server class.
Black/Whitelists are applied to the serverclass, not the applications within it.

In the answer below, I have created two server classes - one for your gensearch (which I guess is Prod), and one for QAsearch
Then each server class has a different collections of applications.

so:

[serverClass:all_gensearch]
             filterType = whitelist
             whitelist.0 = spkprtsrch01
             restartSplunkd = false
             issueReload = true

[serverClass:all_QAsearch]
             filterType = whitelist
             whitelist.0 = spkqatsrch*
             restartSplunkd = false
             issueReload = true

     [serverClass:all_gensearch:app:SA-ldapsearch]
     [serverClass:all_gensearch:app:splunk_app_windows_infrastructure]
     [serverClass:all_gensearch:app:Splunk_TA_microsoft_ad]
     [serverClass:all_gensearch:app:Splunk_TA_microsoft_dns]
     [serverClass:all_gensearch:app:TA-maclookup]
     [serverClass:all_gensearch:app:TA-user-agents]
     [serverClass:all_gensearch:app:TA_cisco_cdr
     [serverClass:all_gensearch:app:Splunk_TA_nginx]
     [serverClass:all_gensearch:app:SA-nix]
     [serverClass:all_gensearch:app:splunk_app_jenkins]
     [serverClass:all_gensearch:app:NetSkopeAppForSplunk]
     [serverClass:all_gensearch:app:TA-Zscaler_CIM]
     [serverClass:all_gensearch:app:duo_splunkapp]
     [serverClass:all_gensearch:app:zscalersplunkapp]
     [serverClass:all_gensearch:app:TA-Zscaler_CIM] 
     [serverClass:all_gensearch:app:GSuiteForSplunk]

     [serverClass:all_QAsearch:app:SA-ldapsearch]
     [serverClass:all_QAsearch:app:splunk_app_windows_infrastructure]
     [serverClass:all_QAsearch:app:Splunk_TA_microsoft_ad]
     [serverClass:all_QAsearch:app:Splunk_TA_microsoft_dns]
     [serverClass:all_QAsearch:app:TA-maclookup]
     [serverClass:all_QAsearch:app:TA-user-agents]
     [serverClass:all_QAsearch:app:TA_cisco_cdr

Should do what you want.

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...