Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to find distsearch.conf file on my system and it is causing an error. Are my inputs and outputs configurations correct?

antifreke
Path Finder
‎12-09-2016 09:48 AM

I'm having an issue getting the data in my .log files into splunk. I've tested connections, there are no firewall issues and my list-forward returned Active, but not forwarding.

Logs are stored at /var/og/rsyslog/firewall.log 

inputs.conf 
[monitor:///var/log/rsyslog/firewall.log]
disabled=false
index=firewall
sourcetype=syslog

outputs.conf
[tcpout]
defaultgroup= indexer
autoLB=true

[tcpout=indexer]
disabled=false
server=x.x.x.20:9997

When I open my splunkd-utility.log, I get a WARN for UserManagerPro - can't [distributedSearch] stanza in distsearch.conf
There is no distsearch.conf file on this system that I can find. Is my error coming from a misconfigured inputs/outputs configuration, or lack of this missing file?

0 Karma
Reply

isreis
Explorer
‎07-24-2017 10:43 AM

Dear Antifreke,
I usally setup the autoLB=True on the stanza where the indexer is being setup like this:

[tcpout]
defaultgroup= indexer

[tcpout=indexer]
disabled=false
server=x.x.x.20:9997
autoLB=true

For the most recent splunk universal forwarder versions, this parameter is no longer being used, it has been deprecated.

Please see this data below from outputs.conf

https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Outputsconf#outputs.conf

----Automatic Load-Balancing

Automatic load balancing is the only way to forward data.

Round-robin method of load balancing is not supported anymore.

autoLBFrequency =
* Every autoLBFrequency seconds, a new indexer is selected randomly from the
list of indexers provided in the server attribute of the target group
stanza.
* Defaults to 30 (seconds).

other tool that I am using to troubleshoot the config files is btool, please see here how you can use it

https://docs.splunk.com/Documentation/Splunk/6.6.2/Troubleshooting/Usebtooltotroubleshootconfigurati...

it is very hepfull and you can check for all the stanzas and parameters that was setup.

It can be something like:

./splunk cmd btool distsearch list --debug | more

If I am not wrong the distsearch.conf is created once you setup your indexers in your search head.

I hope this assist you to fix your issue.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...