Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why do I get "Invalid key in stanza [tcp-ssl://:1470] ... connection_host=dns your indexes and inputs are not internally consistent"?

msantich
Path Finder
‎12-14-2015 12:53 PM

Hello,

Our /opt/splunk/etc/apps/search/local/inputs.conf file on our forwarder contains:

[tcp-ssl://:1470]
connection_host=dns
sourcetype=apm_log
index=security_logs
queueSize=5MB

When starting the forwarder, I get:

checking for conf file problems:...
invalid key in stanza [tcp-ssl://:1470] in /opt/splunk/etc/apps/search/local/inputs.conf ...connection_host=dns
your indexes and inputs are not internally consistent.

btool output offers no additional information.

Can anyone offer advice?

Thank you so much.

msantich

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-14-2015 04:26 PM

Are you sure that your stanza syntax is correct? As I read inputs.conf.spec, I would think that it should be

[tcp-ssl:1470]

Second, are you sure that there are no special characters, etc. in the connection_host=dns line? Sometimes I find that people cut-and-paste and unusual characters end up in configuration files. Splunk won't like that.

View solution in original post

Reply
Solved! Jump to solution

nnmiller
Contributor
‎12-28-2015 01:56 PM

splunktcp-ssl and tcp-ssl are two separate input stanza types. splunktcp-ssl is intended for receiving data from Splunk forwarders and allows the key connection_host. tcp-ssl is intended for encrypted communication coming in unparsed (e.g. from 3rd party systems) and does not allow the connection_host key.

Reference: Inputs.conf spec

Reply
Solved! Jump to solution

TonyLeeVT
Builder
‎08-20-2016 11:30 AM

I removed connection_host for tcp-ssl and Splunk no longer complained.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎12-14-2015 04:26 PM

Are you sure that your stanza syntax is correct? As I read inputs.conf.spec, I would think that it should be

[tcp-ssl:1470]

Second, are you sure that there are no special characters, etc. in the connection_host=dns line? Sometimes I find that people cut-and-paste and unusual characters end up in configuration files. Splunk won't like that.

Reply
Solved! Jump to solution

msantich
Path Finder
‎08-29-2016 11:43 AM

Thank you all.

0 Karma
Reply
Solved! Jump to solution

msantich
Path Finder
‎12-15-2015 08:20 AM

Thanks for the input Iguinn.

I tried each of your suggestions and I still get the same error on startup.
I changed the name of the stanza to tcp-ssl:1470 - still get the same error on startup.
I retyped the key-value pair "connection_host=dns" to ensure no special characters and I still get the error on startup.

thanks for your interest in my problem

msantich

0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎12-15-2015 02:53 PM

I am a bit stumped. Perhaps Splunk Support could help?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...