Splunk Search

How does integrating Splunk Universal Forwarder into a Windows System Image work with a deployment server?

MikeElliott
Communicator

Hi all,

I have been working on integrating the Splunk Universal Forwarder into a system image that we will use to deploy to new assets going forwards, as per this Splunkbase Article.

I was wondering how this works with the deployment server? I know that the forwarders deployed with the images will reach out to the deployment server, but I was wondering if there is a way to automatically sort the new hosts into a certain server class, or whether this has to be done manually?

0 Karma
1 Solution

MikeElliott
Communicator

Splunk supports PCRE(ish) RegEx in the deployment server serverclass web GUI - We achieved the result by writing a PCRE compatible RegEx and applied it in the whitelist/blacklist.

View solution in original post

0 Karma

MikeElliott
Communicator

Splunk supports PCRE(ish) RegEx in the deployment server serverclass web GUI - We achieved the result by writing a PCRE compatible RegEx and applied it in the whitelist/blacklist.

0 Karma

MikeElliott
Communicator

If it is helpful, we have a regex we can use to identify the specific assets - Would we put this into the serverclass whitelist?

0 Karma

adonio
Ultra Champion

first create your serverclasses, create the hosts (clients) whitelist with wild cards to match future forwarders
for example, lets imagine all your jukebox application servers has the naming convention: jukeboxXXXX
you can whilelist "jukebox*" in serverclass and every new forwarder that has the matching convention will happily join to disco

MikeElliott
Communicator

I love your example - I really do!

As it turns out, we use quite a weird naming convention that doesn't necessarily work with an asterisk wild card, however, whilst playing around with your suggestion, I noticed that the server class whitelist (in the deployment server GUI) supports PCRE-ish RegEx, so we tried it, it worked and away we went 🙂

Thank you for the comment that lead me to play around a bit 🙂

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...