Getting Data In

Still seeing connection_host typos on universal forwarder version 6.0.5 in my custom app

vcarbona
Path Finder

I saw an answer that said this was corrected in 4.2 but I'm seeing this on 6.0.5 universal forwarder. Noticed the spec file has the correct config also so I'm not sure why btool complains about this. What gives?:

Possible typo in stanza [tcp:9999] in /opt/splunkforwarder/6.0.5-214064/etc/apps/mytcp/default/inputs.conf, line 5: connection_host = none

/opt/splunkforwarder/6.0.5-214064/etc/apps/mytcp/default/inputs.conf:
[tcp:9999]
sourcetype = foo
index = foo
queueSize = 1GB
connection_host = none

/opt/splunkforwarder/6.0.5-214064/etc/system/README/inputs.conf.spec:

[tcp://<remote server>:<port>]
* Configure Splunk to listen on a specific port.
* If a connection is made from <remote server>, this stanza is used to configure the input.
* If <remote server> is empty, this stanza matches all connections on the specified port.
* Will generate events with source set to tcp:portnumber,  for example: tcp:514
* If sourcetype is unspecified, will generate events with set sourcetype to tcp-raw.

# Additional attributes:

connection_host = [ip|dns|none]
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk system hostname.
* Defaults to "dns".

queueSize = <integer>[KB|MB|GB]
* Maximum size of the in-memory input queue.
* Defaults to 500KB.
0 Karma
1 Solution

vcarbona
Path Finder

I filed the bug along with a suggested fix:

Simply adding the following entry in the $SPLUNK_HOME/etc/system/README/inputs.conf.spec removed the error message:

[tcp:<port>] 
connection_host = <ip | dns | none> 
queueSize = <integer>[KB|MB|GB] 
persistentQueueSize = <integer>[KB|MB|GB|TB] 
requireHeader = <bool> 
listenOnIPv6 = <no | yes | only> 
acceptFrom = <network_acl> ... 
rawTcpDoneTimeout = <seconds> 

####The udp spec below is included in version 6.1.4 thru 6.2.4 so it shouldn't report a typo on udp entries.
####Add this entry also if you're running a forwarder 6.1.3 or lower.
[udp:]
* This input stanza is same as [udp://:] but without any remote server restriction
* Please see the documentation for [udp://:] to follow supported settings:
connection_host = [ip|dns|none]
_rcvbuf =
no_priority_stripping = [true|false]
no_appending_timestamp = [true|false]
queueSize = [KB|MB|GB]
persistentQueueSize = [KB|MB|GB|TB]
listenOnIPv6 =
acceptFrom = ...

View solution in original post

vcarbona
Path Finder

I filed the bug along with a suggested fix:

Simply adding the following entry in the $SPLUNK_HOME/etc/system/README/inputs.conf.spec removed the error message:

[tcp:<port>] 
connection_host = <ip | dns | none> 
queueSize = <integer>[KB|MB|GB] 
persistentQueueSize = <integer>[KB|MB|GB|TB] 
requireHeader = <bool> 
listenOnIPv6 = <no | yes | only> 
acceptFrom = <network_acl> ... 
rawTcpDoneTimeout = <seconds> 

####The udp spec below is included in version 6.1.4 thru 6.2.4 so it shouldn't report a typo on udp entries.
####Add this entry also if you're running a forwarder 6.1.3 or lower.
[udp:]
* This input stanza is same as [udp://:] but without any remote server restriction
* Please see the documentation for [udp://:] to follow supported settings:
connection_host = [ip|dns|none]
_rcvbuf =
no_priority_stripping = [true|false]
no_appending_timestamp = [true|false]
queueSize = [KB|MB|GB]
persistentQueueSize = [KB|MB|GB|TB]
listenOnIPv6 =
acceptFrom = ...

vcarbona
Path Finder

Addendum: Apparently btool checks these spec files (one of them being inputs.conf.spec) to verify if the actual conf files are in good order.

MuS
SplunkTrust
SplunkTrust

Just found the update resident solution to this!
Instead of using [tcp:9999] in your inputs.conf use it like in the docs written [tcp://0.0.0.0:9999] and the typo error is gone. cheers, MuS

0 Karma

vcarbona
Path Finder

Yeah...it got rid of the error but the forwarder gives me these messages when I try to send something to it.

07-21-2015 13:43:42.154 -0500 INFO TcpInputConfig - No matching config for xx.xx.xx.xx
07-21-2015 13:43:42.154 -0500 WARN TcpInputProc - Could not find matching host.

0 Karma

MuS
SplunkTrust
SplunkTrust

Okay another lesson learned; the [tcp://0.0.0.0:9999] will not work it has to be set to an IP and then it works. Using [tcp://192.168.56.101:9999] and telnet to 192.168.56.101 port 9999 sending a foo I can see the event in the main index.

0 Karma

MuS
SplunkTrust
SplunkTrust

True, thanks for recalling that point! Just remember that it can be over-written by any Splunk update.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi vcarbona,

if you're referring to this answer as being a fixed since Splunk 4.2 http://answers.splunk.com/answers/13337/why-is-the-connection-host-option-in-a-udp-stanza-of-inputs-... this was related to the [UDP::/..] stanza and not the [TCP::/..] one.

Best thing to do, contact Splunk Support with this, because if this is a known or new bug they can take care. You can file a bug here http://www.splunk.com/r/bugs

Cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

Just an update: This is also reported in uf 6.2.4

Checking conf files for problems...
                Invalid key in stanza [tcp:9999] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 5: connection_host  (value:  none)
0 Karma

woodcock
Esteemed Legend

The problem is probably that you are choosing not to specify a "host" so it cannot comply because each event MUST have a host. Add something like this and it should work:

host=NULL

Do not double-quote like host="NULL" because this will cause problems, too (warning in the dox).

0 Karma

vcarbona
Path Finder

The host parameter is already specified in $SPLUNK_HOME/etc/system/local/inputs.conf and it is a global attribute that takes into effect across all apps. To give benefit of the doubt, I added this in but got the same typo error. The TCP actually works fine. I'm trying to figure out why I'm getting this typo.

0 Karma

MuS
SplunkTrust
SplunkTrust

@vcarbona, you get this message because Splunk checks the config files on startup and is simply not aware of this option connection_host = none in inputs.conf there is no way to remove it from your side. To be honest @woodcock's answer is out of scope in this case and I will file a bug for you 😉

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...