Deployment Architecture

Deployment Server Questions: Host matching

kholleran
Communicator

Hi,

I am trying to start using the Deployment Server in Splunk to manage my enterprise of a single indexer & about 100 forwarders.

1.) I am trying to understand the whitelist/blacklist host matching. I have a series of classes & what I want to say is:
"Don't accept anything unless it matches these patterns."

To do that I have the following:
[serverClass:Intercard-Teller-POS]
blacklist.0=*
whitelist.0=.(P|p)(os|OS)
whitelist.1=.(T|t)(eller|ELLER)

The way I understood it was "blacklist everything unless it matches whitelist 1 or 2." I have a series of classes like this, then I have a "catch-all" at the end like this:
[serverClass:therest]
whitelist.0=*
blacklist.0=.(P|p)(os|OS)

where I am trying to say "match everything EXCEPT these patterns (with a list of all the whitelisted patterns used above."

Now my problem is I have a machine called BB377DTELLER2 that I am testing the configuration on & it is showing up in the "therest" class. Am I misunderstanding how the whitelist/blacklists work? I do not have anything in the top level global stanza.

Thanks!

Kevin

Tags (1)
0 Karma
1 Solution

mslvrstn
Communicator

Your style of starting with blacklist.0=* assumes you have set filterType = blacklist above. It's probably just as easy to leave that out and use the default filtertype of whitelist.

The other issue is that the matches must be complete, so to match those patterns within the hostname, surround them with *

Try

[serverClass:Intercard-Teller-POS]
whitelist.0=*(P|p)(os|OS)*
whitelist.1=*(T|t)(eller|ELLER)*

[serverClass:therest]
whitelist.0=*
blacklist.0=*(P|p)(os|OS)*
blacklist.1=*(T|t)(eller|ELLER)*

View solution in original post

kholleran
Communicator

Though filterType=whitelist is supposed to be the default, I put that in and everything is working as expected now...

0 Karma

mslvrstn
Communicator

Your style of starting with blacklist.0=* assumes you have set filterType = blacklist above. It's probably just as easy to leave that out and use the default filtertype of whitelist.

The other issue is that the matches must be complete, so to match those patterns within the hostname, surround them with *

Try

[serverClass:Intercard-Teller-POS]
whitelist.0=*(P|p)(os|OS)*
whitelist.1=*(T|t)(eller|ELLER)*

[serverClass:therest]
whitelist.0=*
blacklist.0=*(P|p)(os|OS)*
blacklist.1=*(T|t)(eller|ELLER)*

kholleran
Communicator

I have stumped EVERYONE! No, but really.... anyone?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Get Agentic with Splunk Lantern: Connect to Cisco Cloud Control, Transform ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

July Community Events: Master ITSI 5.0 & Automate Splunk

Struggling with alert fatigue or feeling like you're spending more time on infrastructure maintenance than ...

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...