Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Whitelist IP Ranges in serverclass.conf

rmcdougal
Path Finder
‎06-20-2012 08:06 AM

I am attempting to whitelist a range of IP addresses in my serverclass.conf but it doesn't seem to be working. This is the regex that I came up with to match IP Addresses between 10.0.0.0 and 10.49.255.255.

[serverClass:pcforwarders]

whitelist.0=10.([0-9]|[0-4][0-9]).[0-9]{1,3}.[0-9]{1,3}

blacklist.0=10.255.26.*

[serverClass:pcforwarders:app:pcforwardersconfigs]
stateOnClient=enabled
restartSplunkd=true

[serverClass:pcforwarders:app:pclogcollection]
stateOnClient=enabled
restartSplunkd=true

Tags (1)
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎06-20-2012 08:56 AM

AFAIK, You can't use a regex in a serverclass.conf whitelist. The spec file does not show this as being valid.

http://docs.splunk.com/Documentation/Splunk/latest/admin/Serverclassconf

whitelist.<n> = <clientName> | <ip address> | <hostname>
blacklist.<n> = <clientName> | <ip address> | <hostname>
    * 'n' is a number starting at 0, and increasing by 1. Stop looking at the filter when 'n' breaks.
    * The value of this attribute is matched against several things in order:
         * Any clientName specified by the client in its deploymentclient.conf file
         * The ip address of the connected client
         * The hostname of the connected client as provided by reverse DNS lookup
         * The hostname of the client as provided by the client
    * All of these can be used with wildcards.  * will match any sequence of characters.  For example:
        * Match an network range: 10.1.1.*
        * Match a domain: *.splunk.com
    * These patterns are PCRE regular expressions with the additional mappings:
        * '.' is mapped to '\.'
        * '*' is mapped to '.*'
    * Can be overridden at the serverClass level, and the serverClass:app level.
    * There are no whitelist or blacklist entries by default.
Reply

lguinn2
Legend
‎06-20-2012 12:41 PM

I have chatted with some folks who say PCRE is fine - now i just need to go test it!

0 Karma
Reply

jbsplunk
Splunk Employee
Splunk Employee
‎06-20-2012 11:06 AM

notice: with the additional mappings. Meaning, it is a regex, but not PCRE compliant, which means I think you're going to run into unexpected behaviors trying to use PCRE straight up in the conf file.

0 Karma
Reply

lguinn2
Legend
‎06-20-2012 10:55 AM

Perhaps I misunderstand what this line means "These patterns are PCRE regular expressions..."

0 Karma
Reply

lguinn2
Legend
‎06-20-2012 08:53 AM

I am not sure what your question is, exactly, but here is a great reference for regular expressions. I've linked to the page with an example for IP addresses.

http://www.regular-expressions.info/examples.html

Specifically, I think the following would match what you want:

10\.[0-4]?[0-9]\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...