I am trying to start using the Deployment Server in Splunk to manage my enterprise of a single indexer & about 100 forwarders.
1.) I am trying to understand the whitelist/blacklist host matching. I have a series of classes & what I want to say is:
"Don't accept anything unless it matches these patterns."
To do that I have the following:
The way I understood it was "blacklist everything unless it matches whitelist 1 or 2." I have a series of classes like this, then I have a "catch-all" at the end like this:
where I am trying to say "match everything EXCEPT these patterns (with a list of all the whitelisted patterns used above."
Now my problem is I have a machine called BB377DTELLER2 that I am testing the configuration on & it is showing up in the "therest" class. Am I misunderstanding how the whitelist/blacklists work? I do not have anything in the top level global stanza.