I saw an answer that said this was corrected in 4.2 but I'm seeing this on 6.0.5 universal forwarder. Noticed the spec file has the correct config also so I'm not sure why btool complains about this. What gives?:
Possible typo in stanza [tcp:9999] in /opt/splunkforwarder/6.0.5-214064/etc/apps/mytcp/default/inputs.conf, line 5: connection_host = none
sourcetype = foo
index = foo
queueSize = 1GB
connection_host = none
[tcp://<remote server>:<port>] * Configure Splunk to listen on a specific port. * If a connection is made from <remote server>, this stanza is used to configure the input. * If <remote server> is empty, this stanza matches all connections on the specified port. * Will generate events with source set to tcp:portnumber, for example: tcp:514 * If sourcetype is unspecified, will generate events with set sourcetype to tcp-raw. # Additional attributes: connection_host = [ip|dns|none] * "ip" sets the host to the IP address of the system sending the data. * "dns" sets the host to the reverse DNS entry for IP address of the system sending the data. * "none" leaves the host as specified in inputs.conf, typically the splunk system hostname. * Defaults to "dns". queueSize = <integer>[KB|MB|GB] * Maximum size of the in-memory input queue. * Defaults to 500KB.
The problem is probably that you are choosing not to specify a "host" so it cannot comply because each event MUST have a host. Add something like this and it should work:
Do not double-quote like
host="NULL" because this will cause problems, too (warning in the dox).
The host parameter is already specified in $SPLUNK_HOME/etc/system/local/inputs.conf and it is a global attribute that takes into effect across all apps. To give benefit of the doubt, I added this in but got the same typo error. The TCP actually works fine. I'm trying to figure out why I'm getting this typo.
@vcarbona, you get this message because Splunk checks the config files on startup and is simply not aware of this option
connection_host = none in
inputs.conf there is no way to remove it from your side. To be honest @woodcock's answer is out of scope in this case and I will file a bug for you 😉
if you're referring to this answer as being a fixed since Splunk 4.2 http://answers.splunk.com/answers/13337/why-is-the-connection-host-option-in-a-udp-stanza-of-inputs-... this was related to the
[UDP::/..] stanza and not the
Best thing to do, contact Splunk Support with this, because if this is a known or new bug they can take care. You can file a bug here http://www.splunk.com/r/bugs
Just an update: This is also reported in uf 6.2.4
Checking conf files for problems... Invalid key in stanza [tcp:9999] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 5: connection_host (value: none)
I filed the bug along with a suggested fix:
Simply adding the following entry in the $SPLUNK_HOME/etc/system/README/inputs.conf.spec removed the error message:
[tcp:<port>] connection_host = <ip | dns | none> queueSize = <integer>[KB|MB|GB] persistentQueueSize = <integer>[KB|MB|GB|TB] requireHeader = <bool> listenOnIPv6 = <no | yes | only> acceptFrom = <network_acl> ... rawTcpDoneTimeout = <seconds>
####The udp spec below is included in version 6.1.4 thru 6.2.4 so it shouldn't report a typo on udp entries.
####Add this entry also if you're running a forwarder 6.1.3 or lower.
* This input stanza is same as [udp://
* Please see the documentation for [udp://
connectionhost = [ip|dns|none]
noappendingtimestamp = [true|false]
acceptFrom = <network
Addendum: Apparently btool checks these spec files (one of them being inputs.conf.spec) to verify if the actual conf files are in good order.
True, thanks for recalling that point! Just remember that it can be over-written by any Splunk update.
Just found the update resident solution to this!
Instead of using
[tcp:9999] in your
inputs.conf use it like in the docs written
[tcp://0.0.0.0:9999] and the typo error is gone. cheers, MuS