Solved: Re: When modifying serverclass.conf, which safegua...

ddrillic · ‎09-21-2018

The constantly updated serverclass.confhere creates all kinds of commotion. Today it was realized that we have the following:

[serverClass:<name>]
whiteline.0 = <host1>
whiteline.1 = <host2>
whiteline.2 = <host3>
whiteline.3 = <host4>
whiteline.4 = <host5>
....

Meaning, whitelist was written as whiteline by mistake. So, which safeguards we can put in place to avoid these mistakes/commotions?

harsmarvania57 · ‎09-21-2018

Hi @ddrillic,

You can use btool, please refer this document http://docs.splunk.com/Documentation/Splunk/7.1.3/Troubleshooting/CommandlinetoolsforusewithSupport

Check for typos: ./splunk cmd btool check

View solution in original post

harsmarvania57 · ‎09-21-2018

Hi @ddrillic,

You can use btool, please refer this document http://docs.splunk.com/Documentation/Splunk/7.1.3/Troubleshooting/CommandlinetoolsforusewithSupport

Check for typos: ./splunk cmd btool check

ddrillic · ‎09-23-2018

Gorgeous @harsmarvania57!

$ ./splunk cmd btool check

                Invalid key in stanza [serverClass:<class>] in /opt/splunk/etc/system/local/serverclass.conf, line 21: whiteline.0

ddrillic · ‎09-24-2018

Interestingly, it doesn't catch something like -

whitelist.92 = <host>
whitelist.93 = <host>
whitelist.94 = <host>
whitelist.95 = <host>
# number repetition 
whitelist.92 = <host>
whitelist.93 = <host>

When modifying serverclass.conf, which safeguards could help us avoid the following mistakes?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases