Groups of hosts for serverclass.conf?

gowen · ‎02-22-2012

Is there any way to group hosts so that a group can be specified in the serverclass.conf whitelist/blacklist rather than hostname regexes? Past a certain number of hosts using regexes like that gets complex and needs to be repeated for each stanza. I'd rather set up a 'webserver' group and throw all my web servers in it and then use that for the various stanzas that want to address those servers.

bwooden · ‎02-22-2012

You may group servers by:

Any clientName specified by the client in its deploymentclient.conf file
The ip address of the connected client
The hostname of the connected client as provided by reverse DNS lookup
The hostname of the client as provided by the client

You can also group them by the type of operating system.

-http://docs.splunk.com/Documentation/Splunk/latest/admin/Serverclassconf

...so if you have servers named like web01 and web02, you can include them with one whitelist

whitelist.0=web\d{2}

or

whitelist.0=web0(1|2)

etc.

You may also set the clientName to 'webserver' on each box in deploymentclient.conf, such that you could use

whitelist.0=webserver

bwooden · ‎02-22-2012

You can often achieve the result via inheritance - but I see your point. It is not possible to explicitly say one serverclass contains another serverclass. This would be a great enhancement request.

gowen · ‎02-22-2012

Those are all 'specify or filter host' solutions with no re-use between stanzas, so it seems the answer is "no, no groups"?

Groups of hosts for serverclass.conf?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases