Getting Data In

deployment-app controlled outputs.conf not working

dkr3500
Path Finder

Hello,

I have a standalone Splunk Enterprise system (version 9.x) with 10 UFs reporting (Splunk Enterprise and the UFs are all Windows OSs) - the Splunk Enterprise standalone system is an all-in-one: indexer, search head, deployment server, license manager, monitoring console...

I created a deployment app which to push out a standard outputs.conf file to all the UFs and it pushed out successfully, just like all the other deployment apps.  I deleted the ~etc\system\local\outputs.conf from the UFs, restarted Splunk UF, made sure that the deployment app showed up in ~etc\apps\ (it did).  But now that the outputs.conf is no longer in ~etc\system\local, I'm getting this:

WARN AutoLoadBalancedConnectionStrategy [pid TcpOutEloop] - cooked connection to ip=<xx.xx.xxx.xxx>:9997 timed out

 I've made sure there isn't any other outputs.conf, especially not in ~etc\system\local it that it doesn't mess with the order of precedence, restared the UF, and everytime I get the same Warning...and of course, the logs aren't being sent to the indexer.  But it does still phone home, but no actual logs.

When I run:

btool --debut outputs.conf list

 I don't get any output.

But as soon as I get rid of this deployment app and put the same outputs.conf file back in ~etc\system\local, restart the UF, logs are being sent to the indexer.  And my deployment app's structure is the same as the other deployment apps that do work...What am I doing wrong?

Thanks.

Labels (1)
0 Karma
1 Solution

dkr3500
Path Finder

Solved.  My deployment app's outputs.conf file was using the wrong IP address of the Splunk indexer.  Some IP changes were made that I wasn't aware of and didn't notice it until now.  Once I updated the deployment app's outputs.conf file with the correct IP address, the cooked connection error went away and logs were getting to the indexer.

Thanks.

View solution in original post

0 Karma

dkr3500
Path Finder

Solved.  My deployment app's outputs.conf file was using the wrong IP address of the Splunk indexer.  Some IP changes were made that I wasn't aware of and didn't notice it until now.  Once I updated the deployment app's outputs.conf file with the correct IP address, the cooked connection error went away and logs were getting to the indexer.

Thanks.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...