I am trying to configure Splunk Cloud Forwarder for the first time. I am getting the below error, please help
Checking: C:\Program Files\SplunkUniversalForwarder\etc\apps\splunkclouduf\default\outputs.conf
Invalid key in stanza [tcpout:splunkcloud] in C:\Program Files\SplunkUniversalForwarder\etc\apps\splunkclouduf\default\outputs.conf, line 14: cipherSuit
E-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES
Did you mean 'channelReapInterval'?
Did you mean 'channelReapLowater'?
Did you mean 'channelTTL'?
Did you mean 'compressed'?
Did you mean 'connectionTimeout'?
I have the same error when starting with older UF.
My solution was:
1: Download the latest UF from Splunk Website
2: Uninstall the current UF
3: Re-install the latest downloaded UF
4: Start it. No more error found.
Hope this helps.
C:\Program Files\SplunkUniversalForwarder\bin>splunk restart
SplunkForwarder: Stopped
Splunk> The IT Search Engine.
Checking prerequisites...
Checking mgmt port [8090]: open
Checking conf files for problems...
Invalid key in stanza [tcpout:splunkcloud] in C:\Program Files\SplunkUniversalForwarder\etc\apps\splunkclouduf\default\outputs.conf, line 14: cipherSuit
-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES1
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from 'C:\Program Files\SplunkUniversalForwarder\splunkforwarder-6.4.10-1c39464735cc-windows-64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
SplunkForwarder: Starting (pid 5516)
Still getting the same error
When processing a .conf file, Splunk verifies all keywords left of '=' are mentioned in a .conf.spec file. Check the outputs.conf.spec file for that app to make sure "cipherSuit" is spelled correctly.
I am still getting the same issue
C:\Program Files\SplunkUniversalForwarder\bin>splunk restart
SplunkForwarder: Stopped
Splunk> The IT Search Engine.
Checking prerequisites...
Checking mgmt port [8090]: open
Checking conf files for problems...
Invalid key in stanza [tcpout:splunkcloud] in C:\Program Files\SplunkUniversalForwarder\etc\apps\splunkclouduf\default\outputs.conf, line 14: cipherSui
-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
Checking default conf files for edits...
Validating installed files against hashes from 'C:\Program Files\SplunkUniversalForwarder\splunkforwarder-6.4.10-1c39464735cc-windows-64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
SplunkForwarder: Starting (pid 12840)
Done
Now the error message is about "cipherSui" and originally it was about "cipherSuit". Could the correct value be "cipherSuite"?
I have tried all options and combination for the spelling