topic Re: inputs.conf error in Getting Data In

inputs.conf error

zservati1 — Mon, 28 Sep 2020 10:01:10 GMT

I'm getting following error while starting splunkforwarder after updating inputs.conf under splunkforwarder. These are related to syntax issue with blacklist statements, although the file contains many statements like this but only few are erroring out.

[root@pprfefpba400 local]# /etc/init.d/splunk start
Starting Splunk...

Splunk> The IT Search Engine.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for typos...
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/searchhistory.log] in /opt/splunkforwarder/et c/system/local/inputs.conf, line 6: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/splunkd.log] in /opt/splunkforwarder/etc/syst em/local/inputs.conf, line 11: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/splunklogger.log] in /opt/splunkforwarder/etc /system/local/inputs.conf, line 16: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/web_access.log] in /opt/splunkforwarder/etc/s ystem/local/inputs.conf, line 21: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/web_service.log] in /opt/splunkforwarder/etc/ system/local/inputs.conf, line 26: _blacklist = \.(gz)\$
There might be typos in your conf files. For more information, run 'splunk btool check --debug'
All preliminary checks passed.
Starting splunk server daemon (splunkd)...

Here is the inputs.conf:

host = $web_server

[tail:///opt/splunk/var/log/splunk/searchhistory.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/splunkd.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/splunklogger.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/web_access.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/web_service.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/audit.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/audit.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/boot.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/cluster.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/converter.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/disaster-recovery/disaster-recovery.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/filer-denied.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/server.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/clockSkew.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/etxbridge.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/messages]
disabled = false
sourcetype = syslog
index = efepr
_blacklist = \.(gz)\$

[monitor:///opt/splunk/etc/system/local/inputs.conf]
sourcetype = splunk_inputs_conf
disabled = false
index = efepr
_blacklist = \.(gz)\$

[monitor:///usr/local/tomcat/logs/catalina.out]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

Re: inputs.conf error

GKC_DavidAnso — Tue, 25 Oct 2011 20:20:28 GMT

First try removing the _. Splunk now prefers "blacklist = blah".

Also, is there a reason for your () brackets? In your pattern you don't really need them, try removing them.

What version of SplunkForwarder are you running? Try upgrading to the latest version.

Re: inputs.conf error

zservati1 — Tue, 25 Oct 2011 22:56:26 GMT

I tried removing the '' from ''blacklist but I sill see the error.

Re: inputs.conf error

zservati1 — Tue, 25 Oct 2011 22:57:40 GMT

[root@pprfefpdb400 local]# /opt/splunkforwarder/bin/splunk -version
Splunk Universal Forwarder 4.2.1 (build 98164)
This is the splunk version I'm using.

Re: inputs.conf error

zservati1 — Tue, 25 Oct 2011 23:02:55 GMT

So it seems the error is related to scripts related to splunk server
[script:///opt/splunk/etc/system/bin/addm.sh]
[script:///opt/splunk/etc/system/bin/awr.sh]
[script:///opt/splunk/etc/system/bin/tbspace.sh]
I checked the directory and I can't see these files. Where are these file should exist even checked under splunkforwarder.

Re: inputs.conf error

GKC_DavidAnso — Tue, 25 Oct 2011 23:04:18 GMT

Try changing tail: to monitor: and setting followTail = 1, like below:

[monitor:///opt/splunk/var/log/splunk/searchhistory.log]
followTail = 1
disabled = true
index = efepr
_blacklist = .(gz)$

Re: inputs.conf error

GKC_DavidAnso — Tue, 25 Oct 2011 23:06:13 GMT

I probably shouldn't have chosen a disabled input as the example.....

Make sure you don't disable all the inputs copying and pasting.

Re: inputs.conf error

zservati1 — Tue, 25 Oct 2011 23:30:43 GMT

I changed the file according to the suggestion but still get error. These files do not exist in the specified directory, can this be an issue.

Re: inputs.conf error

GKC_DavidAnso — Mon, 28 Sep 2020 10:01:20 GMT

Are you still getting the same number of errors? You will need to update all of the tail: lines to monitor:

Are the errors you are getting the same?

Are you trying to do some kind of variable substitution in the host setting? Can you use just web_server without the $?
host = $web_server

Re: inputs.conf error

zservati1 — Wed, 26 Oct 2011 00:05:08 GMT

I think first the issue had to do with the file to be monitored not exist, and then I changed tail to monitor in few that had issue and was able to get get it to work. I am wondering what is the different between tail and monitor directives.

Re: inputs.conf error

zservati1 — Wed, 26 Oct 2011 00:17:18 GMT

Thanks for your answer as I mentioned I was able to get it to work to have the file pathname to point to the right directory, in otherwords it seems the file should exist and also changed [tail...] to [monitor...]. Now I like to know what's the difference between monitor and tail directive, is this okay to have monitor for splunk logs. Here is an example.

[monitor:///opt/splunkforwarder/var/log/splunk/searchhistory.log]
disabled = true
index = efepr
blacklist = .(gz)$

Re: inputs.conf error

GKC_DavidAnso — Wed, 26 Oct 2011 00:22:07 GMT

You should use the monitor:// input. If you only want to see new events (i.e. not read the history in the log) then add the "followTail = 1" parameter below the [monitor:// line.