Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is "machineTypesFilter" not pushing to both Windows apps?

rgonzale6
Path Finder
‎03-21-2017 04:05 PM

I've got an odd issues where my Linux clients are getting the 'forward logs' app, but my Windows ones are not. My Windows clients are properly getting the 'set input' app, though. I could cheat and put an outputs.conf in my 'winlogs' app but I'd like to figure out what I'm doing wrong. Thanks!

[global]
# Filter (whitelist) all clients
whitelist.0 = *


[serverClass:AppsByMachineType]
# Ensure this server class is matched by all clients. It is IMPORTANT to
# have a general filter here, and a more specific filter at the app level.
# An app is matched _only_ if the server class it is contained in was
# successfully matched!
whitelist.0=*

[serverClass:AppsByMachineType:app:winlogs]
# Deploy this app only to Windows boxes.
machineTypesFilter=windows-*
whitelist.0=*
stateOnClient = enabled
restartSplunkd = true

[serverClass:AppsByMachineType:app:fwd_logs]
# Deploy this app only to Windows boxes.
machineTypesFilter=windows-*
whitelist.0=*
stateOnClient = enabled
restartSplunkd = true

[serverClass:AppsByMachineType:app:linlogs]
# Deploy this app only to unix boxes - 32/64 bit.
machineTypesFilter=linux-i686, linux-x86_64
whitelist.0=*
stateOnClient = enabled
restartSplunkd = true

[serverClass:AppsByMachineType:app:fwd_logs]
# Deploy this app only to unix boxes - 32/64 bit.
machineTypesFilter=linux-i686, linux-x86_64
whitelist.0=*
stateOnClient = enabled
restartSplunkd = true
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎03-23-2017 01:10 AM 
 [global]
 # Filter (whitelist) all clients
 whitelist.0 = *

I'm unsure why you have this entry here, I do not have it.

 [serverClass:AppsByMachineType]
 # Ensure this server class is matched by all clients. It is IMPORTANT to
 # have a general filter here, and a more specific filter at the app level.
 # An app is matched _only_ if the server class it is contained in was
 # successfully matched!
 whitelist.0=*

 [serverClass:AppsByMachineType:app:winlogs]
 # Deploy this app only to Windows boxes.
 machineTypesFilter=windows-*

serverclass.conf - Splunk Documentation

The documentation is confusing here, if you read it carefully:
Under:

THIRD LEVEL: app ###########

It does not say you may use the machinesTypeFilter here, I'm wondering if the examples are wrong but the remainder of the documentation is correct.

It does say:

# NOTE:
# The keys listed below are all described in detail in the
# [global] section above. They can be used with serverClass stanza to
# override the global setting
continueMatching = true | false
endpoint = <URL template string>
excludeFromUpdate = <path>[,<path>]...
filterType = whitelist | blacklist
whitelist.<n> = <clientName> | <IP address> | <hostname>
blacklist.<n> = <clientName> | <IP address> | <hostname>
machineTypesFilter = <comma-separated list>
restartSplunkWeb = true | false
restartSplunkd = true | false
issueReload = true | false
restartIfNeeded = true | false
stateOnClient = enabled | disabled | noop
repositoryLocation = <path>

I can confirm that machineTypesFilter= works at the serverClass stanza level, perhaps you could use:

 [serverClass:WindowsApps]
 # Ensure this server class is matched by all clients. It is IMPORTANT to
 # have a general filter here, and a more specific filter at the app level.
 # An app is matched _only_ if the server class it is contained in was
 # successfully matched!
 whitelist.0=*
 machineTypesFilter=windows-*

 [serverClass:WindowsApps:app:winlogs]
 # Deploy this app only to Windows boxes.
 machineTypesFilter=windows-*
 whitelist.0=*
 stateOnClient = enabled
 restartSplunkd = true

 [serverClass:WindowsApps:app:fwd_logs]
 # Deploy this app only to Windows boxes.
 machineTypesFilter=windows-*
 whitelist.0=*
 stateOnClient = enabled
 restartSplunkd = true

 [serverClass:LinuxApps]
 # Ensure this server class is matched by all clients. It is IMPORTANT to
 # have a general filter here, and a more specific filter at the app level.
 # An app is matched _only_ if the server class it is contained in was
 # successfully matched!
 whitelist.0=*
 machineTypesFilter=linux-*

 [serverClass:LinuxApps:app:linlogs]
 # Deploy this app only to unix boxes - 32/64 bit.
 restartSplunkd = true

 [serverClass:LinuxApps:app:fwd_logs]
 restartSplunkd = true

Note that you might want to look into the issueReload/restartIfNeeded if your running really new forwarder versions.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

MuS
Legend
‎03-21-2017 05:24 PM

Hi there,

did you check with btool that your config is applied?

$SPLUNK_HOME/bin/splunk btool serverclass list --debug will show you what config is applied and where the config is coming from eq .conf file.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...