I'm transitioning my hosts from one set of indexers in Seattle to another set in Atlanta, in between, a heavy forwarder. I created a new forwarder app to install on the hosts, and created a serverclass to assign it. The app was installed on the host, but the old app wasn't removed. Below is my config:
[global]
restartSplunkd=true
stateOnClient = enabled
[serverClass:UF_config]
filterType = blacklist
blacklist.0 = swfctxfrm05
whitelist.0 = *
[serverClass:UF_config:app:UFconfig]
[serverClass:test_ctx]
filtertype = whitelist
whitelist.0 = swfctxfrm05
[serverClass:test_ctx:app:NewUFConfig]
[serverClass:test_ctx:app:10_inputs_windows_citrix]
[serverClass:test_ctx:app:Splunk_TA_Windows_4.8]
I thought the changing of filtertype from whitelist to blacklist would mean that I'd be able to add a host in the blacklist section before the whitelist section, which would then remove the UF_Config app from swfctxfrm05. swfctxfrm05 received the NewUFConfig app, but the UF_Config app is still there as well. Could someone help w/ this?
Try it like this. White list everything for the class name, then in the app class definition use the blacklist.
[serverClass:UF_config]
filterType = whitelist
whitelist.0 = *
[serverClass:UF_config:app:UFconfig]
filterType=blacklist
blacklist.0 = swfctxfrm05
Try it like this. White list everything for the class name, then in the app class definition use the blacklist.
[serverClass:UF_config]
filterType = whitelist
whitelist.0 = *
[serverClass:UF_config:app:UFconfig]
filterType=blacklist
blacklist.0 = swfctxfrm05
That's interesting. Once I made that change and reloaded the deploy server, the apps listed are 10_inputs_windows_citrix
NewUFConfig
Splunk_TA_Windows_4.8
Splunk_TA_windows_4.8
Not sure why that last one is listed twice. Anyways, it still shows as being in the UF_config serverclass. And the data isn't getting to the new indexers. Is there any place I can check to see if the data is making it to the heavy forwarder?
Thanks for the help, btw.
Also just want to make note that I dont use the Forwarder Management UI for maintaining any of my serverclass.conf settings. I find it easier to work directly in the conf file. While Im confident in the setting I am giving you, I cant say for sure that the Forwarder Management UI will like them.
You can read more about what I am talking about here under Limitations
http://docs.splunk.com/Documentation/Splunk/6.3.2/Updating/Forwardermanagementoverview
And also some good info here
http://docs.splunk.com/Documentation/Splunk/6.3.2/Updating/Forwardermanagementcompatibility
Ok that sounds promising that now you have the correct apps on swfctxfrm05 (besides the one listed twice. is it possible that Splunk_TA_windows_4.8 was manually created on that host?)
First thing I would check is the splunkd.log file on swfctxfrm05 to see if it is making connections to the heavy forwarder.
You should see events like this in the splunkd.log on swfctxfrm05 , where the IP is the heavy forwarder.
TcpOutputProc - Connected to idx=10.10.10.10:9997
I don't have local or rdp access to the host in question, but I could check the _internal log via splunk. After doing so, I see that it's connecting to the heavy forwarder, so apparently I messed up my props.conf stanza for forwarding the traffic to the new indexers.
I think this particular problem is solved. Thank you very much for your time and attention 🙂
When you pull this serverclass up in the gui and click preview is swfctxfrm05 checked or unchecked?
The server is shown in that serverclass in the UI, yeah. It's also shown in the old serverclass as well.