Question 1: Splunk Forwarder - configured inputs.c...

ghannemann · ‎02-26-2013

Hi

I have a standalone Splunk Server.
I have setup the server to revieve data from universal forwarder on a particular port.
I have setup an input on the server (index and web) in etc/system/local/inputs.conf staring with
[splunktcp...

One forwarder now appears to be sending logs after much fiddling around getting it to work.
The second forwarder is now doing what the first one did. It returns the following message in the logs:

CMConfig - A splunktcp forwarder port is not configured in inputs.conf

Which input file is this message refereing to? Forwarder or Server?

As far as I can tell the inputs.conf is serup.
What should I be looking at to solve this?
Does it need a port per connection?

We are running the latest version of splunk

Thank in advance.

ghannemann · ‎08-27-2015

Long time ago - was a network issue

ghannemann · ‎03-11-2013

This seems to almost a false message.
The ouputs.conf are configured - correct according to what I can find in the documentation.
The message appears nearly everytime when the forwarder is started. It then appears to reconnect and then it works. If can see the via netstat that an initial connection has a status for TIME_WAIT, and a second connection shows ESTABLISHED. The forwarder then appears to work.

yannK · ‎02-26-2013

the forwarder must be missing a configured outputs.conf, please edit to add the definition (use the other one as model) or use the CLI commands to define the forwarding.

Question 1: Splunk Forwarder - configured inputs.conf

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases