Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to troubleshoot configuration mismatch in inputs.conf and outputs.conf?

antifreke
Path Finder
‎12-07-2016 01:29 PM

Background, I am not an engineer and have little engineering experience. In setting up my instance, I have a question about the .Conf files.

Search Head - x.x.x.25
Syslog Server - x.x.x.24
Indexer 1- x.x.x.23

if I'm forwarding syslog data on udp 514, I have the following:

inputs.conf

[udp://514]
connection_host=dns
index=syslog
sourcetype=syslog

outputs.conf

[syslog:syslogGroup]
server = x.x.x.23:9997

[tcpout:indexer1]
server:x.x.x.23:9997

When I run list forward-server, I get the following:

Active forwards: none
configured but inactive: x.x.x.23:9997

Any ideas how I got this mismatch and what I need to do do make them active? I currently have no issues with networking, no firewalls, and can openly ping between devices. Thoughts?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-07-2016 05:50 PM

Your outputs.conf is misconfigured. It should be

[tcpout:group1]
server=x.x.x.23:9997

The tcpout specifies Splunk-forwarder-to-Splunk-indexer communication. group1 can be any unique name; it is needed only if there are multiple tcpout stanzas. (So "indexer1" is actually okay here, but it doesn't really mean anything.)
The server specification of x.x.x.23:9997 should be fine - as long as the indexer running on x.x.x.23 is actually listening on port 9997. If it is not, that would be one reason that it would show up as "inactive."

The [syslog:syslogGroup] stanza should be removed. It is specifying that the forwarder should send data in syslog format to the server - which it should not do. This also could be the reason that the indexer shows as inactive.

For more information, you should look at $SPLUNK_HOME/var/log/splunkd.log

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-07-2016 05:50 PM

Your outputs.conf is misconfigured. It should be

[tcpout:group1]
server=x.x.x.23:9997

The tcpout specifies Splunk-forwarder-to-Splunk-indexer communication. group1 can be any unique name; it is needed only if there are multiple tcpout stanzas. (So "indexer1" is actually okay here, but it doesn't really mean anything.)
The server specification of x.x.x.23:9997 should be fine - as long as the indexer running on x.x.x.23 is actually listening on port 9997. If it is not, that would be one reason that it would show up as "inactive."

The [syslog:syslogGroup] stanza should be removed. It is specifying that the forwarder should send data in syslog format to the server - which it should not do. This also could be the reason that the indexer shows as inactive.

For more information, you should look at $SPLUNK_HOME/var/log/splunkd.log

0 Karma
Reply
Solved! Jump to solution

antifreke
Path Finder
‎12-08-2016 10:10 AM

Alright, I have that up.. but I think I figured out part of my problem in rsyslog.conf. Does the following look like I did this correctly? 

if $fromhost-ip startswith 'x.x.x.23; then /var/log/rsyslog/devices.log
&~
0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...