- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have a standalone Splunk Enterprise system (version 9.x) with 10 UFs reporting (Splunk Enterprise and the UFs are all Windows OSs) - the Splunk Enterprise standalone system is an all-in-one: indexer, search head, deployment server, license manager, monitoring console...
I created a deployment app which to push out a standard outputs.conf file to all the UFs and it pushed out successfully, just like all the other deployment apps. I deleted the ~etc\system\local\outputs.conf from the UFs, restarted Splunk UF, made sure that the deployment app showed up in ~etc\apps\ (it did). But now that the outputs.conf is no longer in ~etc\system\local, I'm getting this:
WARN AutoLoadBalancedConnectionStrategy [pid TcpOutEloop] - cooked connection to ip=<xx.xx.xxx.xxx>:9997 timed out
I've made sure there isn't any other outputs.conf, especially not in ~etc\system\local it that it doesn't mess with the order of precedence, restared the UF, and everytime I get the same Warning...and of course, the logs aren't being sent to the indexer. But it does still phone home, but no actual logs.
When I run:
btool --debut outputs.conf list
I don't get any output.
But as soon as I get rid of this deployment app and put the same outputs.conf file back in ~etc\system\local, restart the UF, logs are being sent to the indexer. And my deployment app's structure is the same as the other deployment apps that do work...What am I doing wrong?
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved. My deployment app's outputs.conf file was using the wrong IP address of the Splunk indexer. Some IP changes were made that I wasn't aware of and didn't notice it until now. Once I updated the deployment app's outputs.conf file with the correct IP address, the cooked connection error went away and logs were getting to the indexer.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved. My deployment app's outputs.conf file was using the wrong IP address of the Splunk indexer. Some IP changes were made that I wasn't aware of and didn't notice it until now. Once I updated the deployment app's outputs.conf file with the correct IP address, the cooked connection error went away and logs were getting to the indexer.
Thanks.
