Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Cannot remove forward-server
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cannot remove forward-server
I have inherited an old on-prem Splunk 7.0.2 installation that I'm now trying to reconfigure to forward data to our SplunkCloud instance.
I have installed the SplunkCloud app on the search-head that is acting as deploy-server. It is now forwarding its internal logs to the cloud as expected. Now I want to remove the old forward-servers.
When I execute: ./splunk list forward-server
I get this:
Active forwards:
10.yy.167.67:9997 (ssl)
inputs1.q.splunkcloud.com:9997
(ssl) Configured but inactive
forwards:
10.yy.167.68:9997
inputs10.q.splunkcloud.com:9997
inputs11.q.splunkcloud.com:9997
inputs12.q.splunkcloud.com:9997
inputs13.q.splunkcloud.com:9997
inputs14.q.splunkcloud.com:9997
inputs15.q.splunkcloud.com:9997
inputs2.q.splunkcloud.com:9997
inputs3.q.splunkcloud.com:9997
inputs4.q.splunkcloud.com:9997
inputs5.q.splunkcloud.com:9997
inputs6.q.splunkcloud.com:9997
inputs7.q.splunkcloud.com:9997
inputs8.q.splunkcloud.com:9997
inputs9.q.splunkcloud.com:9997
This looks correct.
Then I execute: ./splunk remove forward-server 10.yy.167.68:9997 and get this message:
In handler 'tcpout-server': Type = outputs, Context = (user: nobody, app:, root: /opt/splunk/etc), Acting as = nobody: Invalid configuration context: Cannot read configuration if user context is set but app context is not
I get the same kind of message if I try to do this in the web gui.
I have tried to find the configuration file that contains this forward-server config but I cannot locate it.
It should be /splunk/etc/system/local/outputs.conf but there is no such file. I have tried grabbing for the IP address in the entire /etc directory structure but got no matches!
Does anyone have any input on how to proceed?
Regards,
Andreas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Try to find out tcpout stanza from outputs.conf using btool and find that server.
$PLUNK_HOME/bin/splunk cmd btool outputs list --debug
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good idea!
I executed that command and found one suspect:
[tcpout:clustered_indexers]
[indexer_discovery:cluster_master]
Could this be the issue? Is it safe to remove? We are going to retire the entire on-prem indexer setup, we do already have all data in SplunkCloud.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Server 10.yy.167.67 under any tcpout stanza with parameter server ?
It looks like you are using Indexer discovery and due to that 10.yy.167.67 indexer is coming from Cluster Master, in that case that server will be removed from forward-server list when you'll decommission that indexer from Indexer Cluster.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
