/opt/splunk/etc/apps/search/local/inputs.conf file on our forwarder contains:
[tcp-ssl://:1470] connection_host=dns sourcetype=apm_log index=security_logs queueSize=5MB
When starting the forwarder, I get:
checking for conf file problems:... invalid key in stanza [tcp-ssl://:1470] in /opt/splunk/etc/apps/search/local/inputs.conf ...connection_host=dns your indexes and inputs are not internally consistent.
btool output offers no additional information.
Can anyone offer advice?
Thank you so much.
Are you sure that your stanza syntax is correct? As I read inputs.conf.spec, I would think that it should be
Second, are you sure that there are no special characters, etc. in the
connection_host=dns line? Sometimes I find that people cut-and-paste and unusual characters end up in configuration files. Splunk won't like that.
Thanks for the input Iguinn.
I tried each of your suggestions and I still get the same error on startup.
I changed the name of the stanza to tcp-ssl:1470 - still get the same error on startup.
I retyped the key-value pair "connection_host=dns" to ensure no special characters and I still get the error on startup.
thanks for your interest in my problem
I am a bit stumped. Perhaps Splunk Support could help?
tcp-ssl are two separate input stanza types.
splunktcp-ssl is intended for receiving data from Splunk forwarders and allows the key
tcp-ssl is intended for encrypted communication coming in unparsed (e.g. from 3rd party systems) and does not allow the
Reference: Inputs.conf spec
I removed connection_host for tcp-ssl and Splunk no longer complained.