Getting Data In

Syntax error on splunk outputs.conf

ranjitbrhm1
Communicator

Hello All,
I am a newbie to distributed deployment. I was trying to specify the outputs.conf on the deployment server and the files get pushed on to the client. But there seems to be a syntax error on my outputs.conf file. My forwarders are listed on the UF as configured but not active. Following is my outputs.conf file.

 [tcpout]
 defaultGroup = indexers

 [tcpout:indexers]
 server = 192.168.1.144:9997

My status on the UF

Your session is invalid.  Please login.
Splunk username: admin
Password:
Active forwards:
        None
Configured but inactive forwards:
        192.168.1.144:9997

This is what happens when i restart splunk UF on the machine

Checking prerequisites...
        Checking mgmt port [8089]: open
        Checking conf files for problems...
                Invalid key in stanza [tek:tekgroup] in /opt/splunkforwarder/etc/apps/baseconfig/local/outputs.conf, line 2: server (value: 192.168.1.144:9997).
                Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.0.3-fa31da744b51-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
0 Karma

Azeemering
Builder

I think the error message you receive is from another outputs.conf.
Since you get an error about [tek:tekgroup] stanza.
Do you have two outputs.conf in default and local?

Run the btool command: splunk btool check --debug to check

0 Karma

mayurr98
Super Champion

Have you enabled receiving on the indexer(s)? [at least, on the indexer running on 192.168.1.144]
to enable it on the indexer go to Settings » Forwarding and receiving » Receive data
Also, your stanza name is [tek:tekgroup] go to specified path i.e. /opt/splunkforwarder/etc/apps/baseconfig/local/outputs.conf and then troubleshoot.

0 Karma

ranjitbrhm1
Communicator

How do i set the stanza? I actually managed using default settings like below. But i would really like to how how the correct stanza should be for the outputs.conf

[tcpout]
defaultGroup = indexers

[tcpout:indexers]
server = 192.168.1.144:9997

tcpout-server://192.168.1.144:9997
0 Karma

mayurr98
Super Champion

you did not answer my question yet
Have you enabled receiving on the indexer(s)? [at least, on the indexer running on 192.168.1.144]
to enable it on the indexer go to Settings » Forwarding and receiving » Receive data
Also, your stanza name is [tek:tekgroup] go to specified path i.e. /opt/splunkforwarder/etc/apps/baseconfig/local/outputs.conf and then troubleshoot.

splunker12er
Motivator
outputs.conf

[tcpout]
defaultGroup = indexers

[tcpout:indexers]
autoLB = true
server = 192.168.1.144:9997
0 Karma

splunker12er
Motivator

setup the above outputs.conf file in your forwarding server and restart the splunk service - then check command in your CLI:

splunk list forward-server

it should show the active forwards

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...