Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do I get "Invalid key in stanza [tcp-ssl://:1470] ... connection_host=dns your indexes and inputs are not internally consistent"?

msantich
Path Finder
‎12-14-2015 12:53 PM

Hello,

Our /opt/splunk/etc/apps/search/local/inputs.conf file on our forwarder contains:

[tcp-ssl://:1470]
connection_host=dns
sourcetype=apm_log
index=security_logs
queueSize=5MB

When starting the forwarder, I get:

checking for conf file problems:...
invalid key in stanza [tcp-ssl://:1470] in /opt/splunk/etc/apps/search/local/inputs.conf ...connection_host=dns
your indexes and inputs are not internally consistent.

btool output offers no additional information.

Can anyone offer advice?

Thank you so much.

msantich

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-14-2015 04:26 PM

Are you sure that your stanza syntax is correct? As I read inputs.conf.spec, I would think that it should be

[tcp-ssl:1470]

Second, are you sure that there are no special characters, etc. in the connection_host=dns line? Sometimes I find that people cut-and-paste and unusual characters end up in configuration files. Splunk won't like that.

View solution in original post

Reply
Solved! Jump to solution

nnmiller
Contributor
‎12-28-2015 01:56 PM

splunktcp-ssl and tcp-ssl are two separate input stanza types. splunktcp-ssl is intended for receiving data from Splunk forwarders and allows the key connection_host. tcp-ssl is intended for encrypted communication coming in unparsed (e.g. from 3rd party systems) and does not allow the connection_host key.

Reference: Inputs.conf spec

Reply
Solved! Jump to solution

TonyLeeVT
Builder
‎08-20-2016 11:30 AM

I removed connection_host for tcp-ssl and Splunk no longer complained.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-14-2015 04:26 PM

Are you sure that your stanza syntax is correct? As I read inputs.conf.spec, I would think that it should be

[tcp-ssl:1470]

Second, are you sure that there are no special characters, etc. in the connection_host=dns line? Sometimes I find that people cut-and-paste and unusual characters end up in configuration files. Splunk won't like that.

Reply
Solved! Jump to solution

msantich
Path Finder
‎08-29-2016 11:43 AM

Thank you all.

0 Karma
Reply
Solved! Jump to solution

msantich
Path Finder
‎12-15-2015 08:20 AM

Thanks for the input Iguinn.

I tried each of your suggestions and I still get the same error on startup.
I changed the name of the stanza to tcp-ssl:1470 - still get the same error on startup.
I retyped the key-value pair "connection_host=dns" to ensure no special characters and I still get the error on startup.

thanks for your interest in my problem

msantich

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎12-15-2015 02:53 PM

I am a bit stumped. Perhaps Splunk Support could help?

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...