Getting Data In

inputs.conf error in SplunkForwarder

zservati1
New Member

I have updated the inputs.conf under /opt/splunkforwarder/etc/system/local, but after restarting splunk I'm getting the following error which is related to syntax issue in some of _blacklists statement, but not all of the _blacklist statements have issue only some which is weird because they all have do the same format.

[root@pprfefpba400 local]# /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkd...
Shutting down. Please wait, as this may take a few [ OK ]
Stopping splunk helpers... [ OK ]
Splunk> The IT Search Engine.
Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for typos...
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/searchhistory.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 6: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/splunkd.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 11: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/splunklogger.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 16: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/web_access.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 21: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/web_service.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 26: _blacklist = \.(gz)\$
There might be typos in your conf files. For more information, run 'splunk btool check --debug'
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
[ OK ]
Here is a copy of inputs.conf
host = $web_server

[tail:///opt/splunk/var/log/splunk/searchhistory.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/splunkd.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/splunklogger.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/web_access.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/web_service.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/audit.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/boot.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/cluster.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/converter.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/disaster-recovery/disaster-recovery.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/filer-denied.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/server.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/clockSkew.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/etxbridge.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/messages]
disabled = false
sourcetype = syslog
index = efepr
_blacklist = \.(gz)\$

[monitor:///opt/splunk/etc/system/local/inputs.conf]
sourcetype = splunk_inputs_conf
disabled = false
index = efepr
_blacklist = \.(gz)\$

[monitor:///usr/local/tomcat/logs/catalina.out]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

Hi,

Well it looks like there are typos indeed, but not in the line which states "_blacklist".
The main problem is probably with the [tail://] directive. To the best of my knowledge it does not exist. What you probably want is

[monitor://<some_path>]
followTail=1

Also, according to the documentation, _blacklist is still honored, but you should use
blacklist = <regular expression> instead.

Did you explicitly set the [tail://] stanzas? The $SPLUNK_HOME/var/log/splunk/*.log files are normally handled by splunk by default (as can/should be seen in $SPLUNK_HOME/etc/system/default/inputs.conf).

What version are you running? On what platform?

For more information see the official documentation regarding inputs.conf.

http://docs.splunk.com/Documentation/Splunk/4.2.4/Admin/Inputsconf

Hope this helps,

/Kristian

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...