Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

After disabling a Forwarder, it keeps talking to the receiver

Stefan
Explorer
‎12-03-2010 06:07 PM

I had several lightweight forwarders set up, with all of them pointing towards a single Cook Fwd.

Due to a mistake on 1 of the machines (over 190 of them) I wanted to disable forwarding, did so by editing outputs.conf again and restarted.

Communications wouldn't stop, so I started searching for other copies of the file, all were empty.

I then disabled the forwarder through CLI, restarted once again, all to no avail.

After searching for the receiver's IP on the forwarder box, I found it embeded in the outputs.conf that resides inside the search APP. Cleaned it, then restarted.

That did solve the issue for me, but the question is: What gives?

Reply
1 Solution
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎12-03-2010 11:34 PM

its hard to tell what went on with your configuration, however it seems that you were not correct when saying:
"I started searching for other copies of the file, all were empty"
Somehow you had multiple outputs.conf files, the one that you deleted and the one that was residing in the search app.

Next time, you might want to run the following command and make life easier for you: 

./splunk cmd btool outputs list --debug

This will tell you exactly what output.conf stanzas exist and where they are residing.

View solution in original post

Reply
Solved! Jump to solution
Solution

Genti
Splunk Employee
Splunk Employee
‎12-03-2010 11:34 PM

its hard to tell what went on with your configuration, however it seems that you were not correct when saying:
"I started searching for other copies of the file, all were empty"
Somehow you had multiple outputs.conf files, the one that you deleted and the one that was residing in the search app.

Next time, you might want to run the following command and make life easier for you: 

./splunk cmd btool outputs list --debug

This will tell you exactly what output.conf stanzas exist and where they are residing.

Reply
Solved! Jump to solution

Stefan
Explorer
‎12-06-2010 05:15 PM

Great tip, thanks !!

I had tried looking for copies of the file using "find outputs.conf".That returned several files but not the specific one inside Search...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...