Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the regular expression for my whitelist in serverclass.conf not matching as expected?

torndorff
Explorer
‎10-20-2016 01:30 PM

I'm working to simplify a serverclass.conf and am struggling to get regex working.

For example:

[serverClass:ConfigUnixBase_OnPrem_Denver_Lab]
whitelist.0 = (?i)dhe[li]*   # denver non-prod
blacklist.0 = SPLUNK-DEPLOY*
blacklist.1 = SPLUNK-CMASTER*
blacklist.2 = SPLUNK-LICENSE*
blacklist.3 = SPLUNK-SEARCH*
blacklist.4 = SPLUNK-INDEXER*
blacklist.5 = SPLUNK-HVYFWD*
blacklist.6 = nhex*   # new york prod
blacklist.7 = nhed*  # new york lab/dev
blacklist.7 = nhep*  # new york lab/dev

I have hosts phoning in with the names dhelapp001 and DHEIAPP001 and neither are matching the whitelist.

I'm reading the manual and I feel this should work from these lines:

* These patterns are PCRE regular expressions, with the following aids for
  easier entry:
    * You can specify simply '.' to mean '\.'
    * You can specify simply '*' to mean '.*'
* Matches are always case-insensitive; you do not need to specify the '(?i)' prefix.

I've been banging at this for hours and cannot wrap my head around what regex can actually live in this value. Shouldnt (?i)dhe[li]* work in this case? Alternatively, I could list these out on two rows but then I have to duplicate even those to get around case-sensitivity (eg: dhel* will not match DHEL*).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

torndorff
Explorer
‎10-21-2016 10:15 AM

I resolved this today. The comments at the end of each blacklist or whitelist are not acting like comments. Once removed, the whitelist/blacklist works fine.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

torndorff
Explorer
‎10-21-2016 10:15 AM

I resolved this today. The comments at the end of each blacklist or whitelist are not acting like comments. Once removed, the whitelist/blacklist works fine.

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎10-20-2016 11:59 PM

Out of many workarounds if you like try this regex if all your servers are in this set ( dhel* dhei* DHEL* DHEI*)



whitelist.0 = (dhe(l|i)|DHE(L|I))*   # denver non-prod

0 Karma
Reply
Solved! Jump to solution

torndorff
Explorer
‎10-20-2016 02:40 PM

If it helps, I'm running Splunk 6.4.1 throughout my environment.

0 Karma
Reply
Solved! Jump to solution

maciep
Champion
‎10-20-2016 02:46 PM

The regex seems right. If you're modifying the conf file directly (as opposed to using Forwarder Management), have you reloaded/restarted splunk? Have you tried removing the (?i), since matches are always case insensitive anyway? Not sure if that would matter...

Have you tried adding any exact sever names to the whitelist, just to rule out some other issue?

0 Karma
Reply
Solved! Jump to solution

torndorff
Explorer
‎10-20-2016 03:08 PM

I'm modifying serverclass.conf directly and not through Forwarder Management and yes, I've ./splunk reload deploy-server as well as ./splunk restart just to be on the safe side. DHEIAPP001 is matched when adding DHEI* to the whitelist but not dhei* or dhe[il]*

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...