Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is "machineTypesFilter" not pushing to both Windows apps?

rgonzale6
Path Finder
‎03-21-2017 04:05 PM

I've got an odd issues where my Linux clients are getting the 'forward logs' app, but my Windows ones are not. My Windows clients are properly getting the 'set input' app, though. I could cheat and put an outputs.conf in my 'winlogs' app but I'd like to figure out what I'm doing wrong. Thanks!

[global]
# Filter (whitelist) all clients
whitelist.0 = *


[serverClass:AppsByMachineType]
# Ensure this server class is matched by all clients. It is IMPORTANT to
# have a general filter here, and a more specific filter at the app level.
# An app is matched _only_ if the server class it is contained in was
# successfully matched!
whitelist.0=*

[serverClass:AppsByMachineType:app:winlogs]
# Deploy this app only to Windows boxes.
machineTypesFilter=windows-*
whitelist.0=*
stateOnClient = enabled
restartSplunkd = true

[serverClass:AppsByMachineType:app:fwd_logs]
# Deploy this app only to Windows boxes.
machineTypesFilter=windows-*
whitelist.0=*
stateOnClient = enabled
restartSplunkd = true

[serverClass:AppsByMachineType:app:linlogs]
# Deploy this app only to unix boxes - 32/64 bit.
machineTypesFilter=linux-i686, linux-x86_64
whitelist.0=*
stateOnClient = enabled
restartSplunkd = true

[serverClass:AppsByMachineType:app:fwd_logs]
# Deploy this app only to unix boxes - 32/64 bit.
machineTypesFilter=linux-i686, linux-x86_64
whitelist.0=*
stateOnClient = enabled
restartSplunkd = true
0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎03-23-2017 01:10 AM 
 [global]
 # Filter (whitelist) all clients
 whitelist.0 = *

I'm unsure why you have this entry here, I do not have it.

 [serverClass:AppsByMachineType]
 # Ensure this server class is matched by all clients. It is IMPORTANT to
 # have a general filter here, and a more specific filter at the app level.
 # An app is matched _only_ if the server class it is contained in was
 # successfully matched!
 whitelist.0=*

 [serverClass:AppsByMachineType:app:winlogs]
 # Deploy this app only to Windows boxes.
 machineTypesFilter=windows-*

serverclass.conf - Splunk Documentation

The documentation is confusing here, if you read it carefully:
Under:

THIRD LEVEL: app ###########

It does not say you may use the machinesTypeFilter here, I'm wondering if the examples are wrong but the remainder of the documentation is correct.

It does say:

# NOTE:
# The keys listed below are all described in detail in the
# [global] section above. They can be used with serverClass stanza to
# override the global setting
continueMatching = true | false
endpoint = <URL template string>
excludeFromUpdate = <path>[,<path>]...
filterType = whitelist | blacklist
whitelist.<n> = <clientName> | <IP address> | <hostname>
blacklist.<n> = <clientName> | <IP address> | <hostname>
machineTypesFilter = <comma-separated list>
restartSplunkWeb = true | false
restartSplunkd = true | false
issueReload = true | false
restartIfNeeded = true | false
stateOnClient = enabled | disabled | noop
repositoryLocation = <path>

I can confirm that machineTypesFilter= works at the serverClass stanza level, perhaps you could use:

 [serverClass:WindowsApps]
 # Ensure this server class is matched by all clients. It is IMPORTANT to
 # have a general filter here, and a more specific filter at the app level.
 # An app is matched _only_ if the server class it is contained in was
 # successfully matched!
 whitelist.0=*
 machineTypesFilter=windows-*

 [serverClass:WindowsApps:app:winlogs]
 # Deploy this app only to Windows boxes.
 machineTypesFilter=windows-*
 whitelist.0=*
 stateOnClient = enabled
 restartSplunkd = true

 [serverClass:WindowsApps:app:fwd_logs]
 # Deploy this app only to Windows boxes.
 machineTypesFilter=windows-*
 whitelist.0=*
 stateOnClient = enabled
 restartSplunkd = true

 [serverClass:LinuxApps]
 # Ensure this server class is matched by all clients. It is IMPORTANT to
 # have a general filter here, and a more specific filter at the app level.
 # An app is matched _only_ if the server class it is contained in was
 # successfully matched!
 whitelist.0=*
 machineTypesFilter=linux-*

 [serverClass:LinuxApps:app:linlogs]
 # Deploy this app only to unix boxes - 32/64 bit.
 restartSplunkd = true

 [serverClass:LinuxApps:app:fwd_logs]
 restartSplunkd = true

Note that you might want to look into the issueReload/restartIfNeeded if your running really new forwarder versions.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎03-21-2017 05:24 PM

Hi there,

did you check with btool that your config is applied?

$SPLUNK_HOME/bin/splunk btool serverclass list --debug will show you what config is applied and where the config is coming from eq .conf file.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...