Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to find distsearch.conf file on my system and it is causing an error. Are my inputs and outputs configurations correct?

antifreke
Path Finder
‎12-09-2016 09:48 AM

I'm having an issue getting the data in my .log files into splunk. I've tested connections, there are no firewall issues and my list-forward returned Active, but not forwarding.

Logs are stored at /var/og/rsyslog/firewall.log 

inputs.conf 
[monitor:///var/log/rsyslog/firewall.log]
disabled=false
index=firewall
sourcetype=syslog

outputs.conf
[tcpout]
defaultgroup= indexer
autoLB=true

[tcpout=indexer]
disabled=false
server=x.x.x.20:9997

When I open my splunkd-utility.log, I get a WARN for UserManagerPro - can't [distributedSearch] stanza in distsearch.conf
There is no distsearch.conf file on this system that I can find. Is my error coming from a misconfigured inputs/outputs configuration, or lack of this missing file?

0 Karma
Reply

isreis
Explorer
‎07-24-2017 10:43 AM

Dear Antifreke,
I usally setup the autoLB=True on the stanza where the indexer is being setup like this:

[tcpout]
defaultgroup= indexer

[tcpout=indexer]
disabled=false
server=x.x.x.20:9997
autoLB=true

For the most recent splunk universal forwarder versions, this parameter is no longer being used, it has been deprecated.

Please see this data below from outputs.conf

https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Outputsconf#outputs.conf

----Automatic Load-Balancing

Automatic load balancing is the only way to forward data.

Round-robin method of load balancing is not supported anymore.

autoLBFrequency =
* Every autoLBFrequency seconds, a new indexer is selected randomly from the
list of indexers provided in the server attribute of the target group
stanza.
* Defaults to 30 (seconds).

other tool that I am using to troubleshoot the config files is btool, please see here how you can use it

https://docs.splunk.com/Documentation/Splunk/6.6.2/Troubleshooting/Usebtooltotroubleshootconfigurati...

it is very hepfull and you can check for all the stanzas and parameters that was setup.

It can be something like:

./splunk cmd btool distsearch list --debug | more

If I am not wrong the distsearch.conf is created once you setup your indexers in your search head.

I hope this assist you to fix your issue.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...