Getting Data In
Highlighted

Syntax error on splunk outputs.conf

Communicator

Hello All,
I am a newbie to distributed deployment. I was trying to specify the outputs.conf on the deployment server and the files get pushed on to the client. But there seems to be a syntax error on my outputs.conf file. My forwarders are listed on the UF as configured but not active. Following is my outputs.conf file.

 [tcpout]
 defaultGroup = indexers

 [tcpout:indexers]
 server = 192.168.1.144:9997

My status on the UF

Your session is invalid.  Please login.
Splunk username: admin
Password:
Active forwards:
        None
Configured but inactive forwards:
        192.168.1.144:9997

This is what happens when i restart splunk UF on the machine

Checking prerequisites...
        Checking mgmt port [8089]: open
        Checking conf files for problems...
                Invalid key in stanza [tek:tekgroup] in /opt/splunkforwarder/etc/apps/baseconfig/local/outputs.conf, line 2: server (value: 192.168.1.144:9997).
                Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
        Done
        Checking default conf files for edits...
        Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-7.0.3-fa31da744b51-linux-2.6-x86_64-manifest'
        All installed files intact.
        Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
0 Karma
Highlighted

Re: Syntax error on splunk outputs.conf

SplunkTrust
SplunkTrust

Have you enabled receiving on the indexer(s)? [at least, on the indexer running on 192.168.1.144]
to enable it on the indexer go to Settings » Forwarding and receiving » Receive data
Also, your stanza name is [tek:tekgroup] go to specified path i.e. /opt/splunkforwarder/etc/apps/baseconfig/local/outputs.conf and then troubleshoot.

0 Karma
Highlighted

Re: Syntax error on splunk outputs.conf

Communicator

How do i set the stanza? I actually managed using default settings like below. But i would really like to how how the correct stanza should be for the outputs.conf

[tcpout]
defaultGroup = indexers

[tcpout:indexers]
server = 192.168.1.144:9997

tcpout-server://192.168.1.144:9997
0 Karma
Highlighted

Re: Syntax error on splunk outputs.conf

Motivator
outputs.conf

[tcpout]
defaultGroup = indexers

[tcpout:indexers]
autoLB = true
server = 192.168.1.144:9997
0 Karma
Highlighted

Re: Syntax error on splunk outputs.conf

Motivator

setup the above outputs.conf file in your forwarding server and restart the splunk service - then check command in your CLI:

splunk list forward-server

it should show the active forwards

0 Karma
Highlighted

Re: Syntax error on splunk outputs.conf

SplunkTrust
SplunkTrust

you did not answer my question yet
Have you enabled receiving on the indexer(s)? [at least, on the indexer running on 192.168.1.144]
to enable it on the indexer go to Settings » Forwarding and receiving » Receive data
Also, your stanza name is [tek:tekgroup] go to specified path i.e. /opt/splunkforwarder/etc/apps/baseconfig/local/outputs.conf and then troubleshoot.

Highlighted

Re: Syntax error on splunk outputs.conf

Builder

I think the error message you receive is from another outputs.conf.
Since you get an error about [tek:tekgroup] stanza.
Do you have two outputs.conf in default and local?

Run the btool command: splunk btool check --debug to check

0 Karma