I use Universal Forwarder (UF) and try to configure it using DeploymentServer located on det index server. The application/config meant to be placed on the UF is not found on the UF. During startup of the UF the following is written in the splunkd.log;
...
05-30-2011 15:25:08.540 +0200 ERROR IndexProcessor - 'blockSignatureDatabase' tag required in config
05-30-2011 15:25:08.560 +0200 ERROR IndexProcessor - Index configuration error: 'blockSignatureDatabase' tag required in config
05-30-2011 15:25:08.573 +0200 WARN HttpPubSubConnection - Received message for an unsubscribed channel: deploymentServer/phoneHome/default/reply/[* server name - masked out ** ]/deploymentClient
05-30-2011 15:25:08.575 +0200 ERROR pipeline - Index configuration error: 'blockSignatureDatabase' tag required in config
05-30-2011 15:25:08.575 +0200 ERROR PipelineComponent - The pipeline indexerPipe threw an exception during initialize
05-30-2011 15:25:08.575 +0200 INFO PipelineComponent - Shutting down system due to fatal error
...*
Note that on the same server as the UF is running it is also running an old LightForwarder in parallell on a different management port. This is done because we are setting up a new Splunk environment and want to keep the old as it is with an overlap of data.
Anyone who can help me understand what this mean and how I can solve this?
I found the solution here;
When I deployed apps and config through deployment server I named one the application SplunkUniversalForwarder. That is the same as the standard application for the UniversalForwarder. This caused the SplunkUniversalForwarder app to be overwritten and parts of its config was lacking. The result was that the Universal Forwarder no longer was interpreted as one. F.ex. was signing expected.
I found the solution here;
When I deployed apps and config through deployment server I named one the application SplunkUniversalForwarder. That is the same as the standard application for the UniversalForwarder. This caused the SplunkUniversalForwarder app to be overwritten and parts of its config was lacking. The result was that the Universal Forwarder no longer was interpreted as one. F.ex. was signing expected.
Good find. I would have never guessed that.
The two do not sound related. The blockSignatureDatabase
option is related to IT data block signing, and has nothing to do with DeploymentServer. http://www.splunk.com/base/Documentation/latest/Admin/ITDataSigning
Basically, if you have an index configured with blockSignSize=
then you also need a blockSignatureDatabase=
setting in indexes.conf
. On an indexer, this should be set by default.
It also does not make sense to set up block signatures on a forwarder, as no data is actually stored there. Perhaps you have an app that is deployed via deployment server pushing an indexes.conf
with these settings?
I agree with you.
1) It is not raelated to deployment server. It seems to work fine. The correct apps is deployed to the UF from the deployment server.
2)Signing on forwarder doesnt make sense. I tested if there where any indexes config on the UF (using "splunk cmd btool indexes list --debug") but nothing was found.
I also removed the old light forwarder running on the same server as the UF. Same error still inn splunkd.log
i wrote "the application/config meant to be placed on the UF is not found on the UF" That is wrong. Config is deployed to the UF by the deployment server. But no data is sent to the indexer from the UF.