Getting Data In

serverclass.conf blacklist not working

banderson7
Communicator

I'm transitioning my hosts from one set of indexers in Seattle to another set in Atlanta, in between, a heavy forwarder. I created a new forwarder app to install on the hosts, and created a serverclass to assign it. The app was installed on the host, but the old app wasn't removed. Below is my config:

[global]
restartSplunkd=true     
stateOnClient = enabled 

[serverClass:UF_config]
filterType = blacklist
blacklist.0 = swfctxfrm05
whitelist.0 = *
[serverClass:UF_config:app:UFconfig]

[serverClass:test_ctx]
filtertype = whitelist
whitelist.0 = swfctxfrm05
[serverClass:test_ctx:app:NewUFConfig]
[serverClass:test_ctx:app:10_inputs_windows_citrix]
[serverClass:test_ctx:app:Splunk_TA_Windows_4.8]

I thought the changing of filtertype from whitelist to blacklist would mean that I'd be able to add a host in the blacklist section before the whitelist section, which would then remove the UF_Config app from swfctxfrm05. swfctxfrm05 received the NewUFConfig app, but the UF_Config app is still there as well. Could someone help w/ this?

0 Karma
1 Solution

cramasta
Builder

Try it like this. White list everything for the class name, then in the app class definition use the blacklist.

[serverClass:UF_config]
filterType = whitelist
whitelist.0 = *

[serverClass:UF_config:app:UFconfig]
filterType=blacklist
blacklist.0 = swfctxfrm05

View solution in original post

0 Karma

cramasta
Builder

Try it like this. White list everything for the class name, then in the app class definition use the blacklist.

[serverClass:UF_config]
filterType = whitelist
whitelist.0 = *

[serverClass:UF_config:app:UFconfig]
filterType=blacklist
blacklist.0 = swfctxfrm05
0 Karma

banderson7
Communicator

That's interesting. Once I made that change and reloaded the deploy server, the apps listed are 10_inputs_windows_citrix
NewUFConfig
Splunk_TA_Windows_4.8
Splunk_TA_windows_4.8
Not sure why that last one is listed twice. Anyways, it still shows as being in the UF_config serverclass. And the data isn't getting to the new indexers. Is there any place I can check to see if the data is making it to the heavy forwarder?

Thanks for the help, btw.

0 Karma

cramasta
Builder

Also just want to make note that I dont use the Forwarder Management UI for maintaining any of my serverclass.conf settings. I find it easier to work directly in the conf file. While Im confident in the setting I am giving you, I cant say for sure that the Forwarder Management UI will like them.

0 Karma

cramasta
Builder
0 Karma

cramasta
Builder

Ok that sounds promising that now you have the correct apps on swfctxfrm05 (besides the one listed twice. is it possible that Splunk_TA_windows_4.8 was manually created on that host?)

First thing I would check is the splunkd.log file on swfctxfrm05 to see if it is making connections to the heavy forwarder.

You should see events like this in the splunkd.log on swfctxfrm05 , where the IP is the heavy forwarder.
TcpOutputProc - Connected to idx=10.10.10.10:9997

0 Karma

banderson7
Communicator

I don't have local or rdp access to the host in question, but I could check the _internal log via splunk. After doing so, I see that it's connecting to the heavy forwarder, so apparently I messed up my props.conf stanza for forwarding the traffic to the new indexers.
I think this particular problem is solved. Thank you very much for your time and attention 🙂

0 Karma

lycollicott
Motivator

When you pull this serverclass up in the gui and click preview is swfctxfrm05 checked or unchecked?

0 Karma

banderson7
Communicator

The server is shown in that serverclass in the UI, yeah. It's also shown in the old serverclass as well.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...