Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syntax error on splunk outputs.conf

ranjitbrhm1
Communicator
‎04-04-2018 11:11 PM

Hello All,
I am a newbie to distributed deployment. I was trying to specify the outputs.conf on the deployment server and the files get pushed on to the client. But there seems to be a syntax error on my outputs.conf file. My forwarders are listed on the UF as configured but not active. Following is my outputs.conf file.

 [tcpout]
 defaultGroup = indexers

 [tcpout:indexers]
 server = 192.168.1.144:9997

My status on the UF

Your session is invalid.  Please login.
Splunk username: admin
Password:
Active forwards:
        None
Configured but inactive forwards:
        192.168.1.144:9997

This is what happens when i restart splunk UF on the machine

Checking prerequisites...
        Checking mgmt port [8089]: open
        Checking conf files for problems...
                Invalid key in stanza [tek:tekgroup] in /opt/splunkforwarder/etc/apps/baseconfig/local/outputs.conf, line 2: server (value: 192.168.1.144:9997).
                Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.0.3-fa31da744b51-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
0 Karma
Reply

Azeemering
Builder
‎04-05-2018 03:38 AM

I think the error message you receive is from another outputs.conf.
Since you get an error about [tek:tekgroup] stanza.
Do you have two outputs.conf in default and local?

Run the btool command: splunk btool check --debug to check

0 Karma
Reply

mayurr98
Super Champion
‎04-04-2018 11:36 PM

Have you enabled receiving on the indexer(s)? [at least, on the indexer running on 192.168.1.144]
to enable it on the indexer go to Settings » Forwarding and receiving » Receive data
Also, your stanza name is [tek:tekgroup] go to specified path i.e. /opt/splunkforwarder/etc/apps/baseconfig/local/outputs.conf and then troubleshoot.

0 Karma
Reply

ranjitbrhm1
Communicator
‎04-05-2018 12:50 AM

How do i set the stanza? I actually managed using default settings like below. But i would really like to how how the correct stanza should be for the outputs.conf

[tcpout]
defaultGroup = indexers

[tcpout:indexers]
server = 192.168.1.144:9997

tcpout-server://192.168.1.144:9997
0 Karma
Reply

mayurr98
Super Champion
‎04-05-2018 01:54 AM

you did not answer my question yet
Have you enabled receiving on the indexer(s)? [at least, on the indexer running on 192.168.1.144]
to enable it on the indexer go to Settings » Forwarding and receiving » Receive data
Also, your stanza name is [tek:tekgroup] go to specified path i.e. /opt/splunkforwarder/etc/apps/baseconfig/local/outputs.conf and then troubleshoot.

Reply

splunker12er
Motivator
‎04-05-2018 01:40 AM 
outputs.conf

[tcpout]
defaultGroup = indexers

[tcpout:indexers]
autoLB = true
server = 192.168.1.144:9997
0 Karma
Reply

splunker12er
Motivator
‎04-05-2018 01:42 AM

setup the above outputs.conf file in your forwarding server and restart the splunk service - then check command in your CLI:

splunk list forward-server

it should show the active forwards

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
li.common.scroll-to.top