Splunk Search

Why is the regular expression for my whitelist in serverclass.conf not matching as expected?

torndorff
Explorer

I'm working to simplify a serverclass.conf and am struggling to get regex working.

For example:

[serverClass:ConfigUnixBase_OnPrem_Denver_Lab]
whitelist.0 = (?i)dhe[li]*   # denver non-prod
blacklist.0 = SPLUNK-DEPLOY*
blacklist.1 = SPLUNK-CMASTER*
blacklist.2 = SPLUNK-LICENSE*
blacklist.3 = SPLUNK-SEARCH*
blacklist.4 = SPLUNK-INDEXER*
blacklist.5 = SPLUNK-HVYFWD*
blacklist.6 = nhex*   # new york prod
blacklist.7 = nhed*  # new york lab/dev
blacklist.7 = nhep*  # new york lab/dev

I have hosts phoning in with the names dhelapp001 and DHEIAPP001 and neither are matching the whitelist.

I'm reading the manual and I feel this should work from these lines:

* These patterns are PCRE regular expressions, with the following aids for
  easier entry:
    * You can specify simply '.' to mean '\.'
    * You can specify simply '*' to mean '.*'
* Matches are always case-insensitive; you do not need to specify the '(?i)' prefix.

I've been banging at this for hours and cannot wrap my head around what regex can actually live in this value. Shouldnt (?i)dhe[li]* work in this case? Alternatively, I could list these out on two rows but then I have to duplicate even those to get around case-sensitivity (eg: dhel* will not match DHEL*).

0 Karma
1 Solution

torndorff
Explorer

I resolved this today. The comments at the end of each blacklist or whitelist are not acting like comments. Once removed, the whitelist/blacklist works fine.

View solution in original post

0 Karma

torndorff
Explorer

I resolved this today. The comments at the end of each blacklist or whitelist are not acting like comments. Once removed, the whitelist/blacklist works fine.

0 Karma

gokadroid
Motivator

Out of many workarounds if you like try this regex if all your servers are in this set ( dhel* dhei* DHEL* DHEI*)


whitelist.0 = (dhe(l|i)|DHE(L|I))* # denver non-prod

0 Karma

torndorff
Explorer

If it helps, I'm running Splunk 6.4.1 throughout my environment.

0 Karma

maciep
Champion

The regex seems right. If you're modifying the conf file directly (as opposed to using Forwarder Management), have you reloaded/restarted splunk? Have you tried removing the (?i), since matches are always case insensitive anyway? Not sure if that would matter...

Have you tried adding any exact sever names to the whitelist, just to rule out some other issue?

0 Karma

torndorff
Explorer

I'm modifying serverclass.conf directly and not through Forwarder Management and yes, I've ./splunk reload deploy-server as well as ./splunk restart just to be on the safe side. DHEIAPP001 is matched when adding DHEI* to the whitelist but not dhei* or dhe[il]*

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...