Getting Data In

Syntax error on splunk outputs.conf

ranjitbrhm1
Communicator

Hello All,
I am a newbie to distributed deployment. I was trying to specify the outputs.conf on the deployment server and the files get pushed on to the client. But there seems to be a syntax error on my outputs.conf file. My forwarders are listed on the UF as configured but not active. Following is my outputs.conf file.

 [tcpout]
 defaultGroup = indexers

 [tcpout:indexers]
 server = 192.168.1.144:9997

My status on the UF

Your session is invalid.  Please login.
Splunk username: admin
Password:
Active forwards:
        None
Configured but inactive forwards:
        192.168.1.144:9997

This is what happens when i restart splunk UF on the machine

Checking prerequisites...
        Checking mgmt port [8089]: open
        Checking conf files for problems...
                Invalid key in stanza [tek:tekgroup] in /opt/splunkforwarder/etc/apps/baseconfig/local/outputs.conf, line 2: server (value: 192.168.1.144:9997).
                Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.0.3-fa31da744b51-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
0 Karma

Azeemering
Builder

I think the error message you receive is from another outputs.conf.
Since you get an error about [tek:tekgroup] stanza.
Do you have two outputs.conf in default and local?

Run the btool command: splunk btool check --debug to check

0 Karma

mayurr98
Super Champion

Have you enabled receiving on the indexer(s)? [at least, on the indexer running on 192.168.1.144]
to enable it on the indexer go to Settings » Forwarding and receiving » Receive data
Also, your stanza name is [tek:tekgroup] go to specified path i.e. /opt/splunkforwarder/etc/apps/baseconfig/local/outputs.conf and then troubleshoot.

0 Karma

ranjitbrhm1
Communicator

How do i set the stanza? I actually managed using default settings like below. But i would really like to how how the correct stanza should be for the outputs.conf

[tcpout]
defaultGroup = indexers

[tcpout:indexers]
server = 192.168.1.144:9997

tcpout-server://192.168.1.144:9997
0 Karma

mayurr98
Super Champion

you did not answer my question yet
Have you enabled receiving on the indexer(s)? [at least, on the indexer running on 192.168.1.144]
to enable it on the indexer go to Settings » Forwarding and receiving » Receive data
Also, your stanza name is [tek:tekgroup] go to specified path i.e. /opt/splunkforwarder/etc/apps/baseconfig/local/outputs.conf and then troubleshoot.

splunker12er
Motivator
outputs.conf

[tcpout]
defaultGroup = indexers

[tcpout:indexers]
autoLB = true
server = 192.168.1.144:9997
0 Karma

splunker12er
Motivator

setup the above outputs.conf file in your forwarding server and restart the splunk service - then check command in your CLI:

splunk list forward-server

it should show the active forwards

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...