I have updated the inputs.conf under /opt/splunkforwarder/etc/system/local, but after restarting splunk I'm getting the following error which is related to syntax issue in some of _blacklists statement, but not all of the _blacklist statements have issue only some which is weird because they all have do the same format.
[root@pprfefpba400 local]# /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkd...
Shutting down. Please wait, as this may take a few [ OK ]
Stopping splunk helpers... [ OK ]
Splunk> The IT Search Engine.
Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for typos...
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/searchhistory.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 6: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/splunkd.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 11: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/splunklogger.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 16: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/web_access.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 21: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/web_service.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 26: _blacklist = \.(gz)\$
There might be typos in your conf files. For more information, run 'splunk btool check --debug'
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
[ OK ]
Here is a copy of inputs.conf
host = $web_server
[tail:///opt/splunk/var/log/splunk/searchhistory.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$
[tail:///opt/splunk/var/log/splunk/splunkd.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$
[tail:///opt/splunk/var/log/splunk/splunklogger.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$
[tail:///opt/splunk/var/log/splunk/web_access.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$
[tail:///opt/splunk/var/log/splunk/web_service.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/audit.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/boot.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/cluster.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/converter.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/disaster-recovery/disaster-recovery.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/filer-denied.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/server.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/clockSkew.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/etxbridge.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/messages]
disabled = false
sourcetype = syslog
index = efepr
_blacklist = \.(gz)\$
[monitor:///opt/splunk/etc/system/local/inputs.conf]
sourcetype = splunk_inputs_conf
disabled = false
index = efepr
_blacklist = \.(gz)\$
[monitor:///usr/local/tomcat/logs/catalina.out]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
Hi,
Well it looks like there are typos indeed, but not in the line which states "_blacklist".
The main problem is probably with the [tail://]
directive. To the best of my knowledge it does not exist. What you probably want is
[monitor://<some_path>]
followTail=1
Also, according to the documentation, _blacklist
is still honored, but you should use
blacklist = <regular expression>
instead.
Did you explicitly set the [tail://]
stanzas? The $SPLUNK_HOME/var/log/splunk/*.log
files are normally handled by splunk by default (as can/should be seen in $SPLUNK_HOME/etc/system/default/inputs.conf
).
What version are you running? On what platform?
For more information see the official documentation regarding inputs.conf.
http://docs.splunk.com/Documentation/Splunk/4.2.4/Admin/Inputsconf
Hope this helps,
/Kristian