Getting Data In
Highlighted

inputs.conf error in SplunkForwarder

New Member

I have updated the inputs.conf under /opt/splunkforwarder/etc/system/local, but after restarting splunk I'm getting the following error which is related to syntax issue in some of _blacklists statement, but not all of the _blacklist statements have issue only some which is weird because they all have do the same format.

[root@pprfefpba400 local]# /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkd...
Shutting down. Please wait, as this may take a few [ OK ]
Stopping splunk helpers... [ OK ]
Splunk> The IT Search Engine.
Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for typos...
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/searchhistory.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 6: blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/splunkd.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 11: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/splunklogger.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 16: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/web
access.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 21: blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/web
service.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 26: _blacklist = \.(gz)\$
There might be typos in your conf files. For more information, run 'splunk btool check --debug'
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
[ OK ]
Here is a copy of inputs.conf
host = $web_server

[tail:///opt/splunk/var/log/splunk/searchhistory.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/splunkd.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/splunklogger.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/web_access.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/web_service.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/audit.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/boot.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/cluster.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/converter.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/disaster-recovery/disaster-recovery.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/filer-denied.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/server.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/clockSkew.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/etxbridge.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/messages]
disabled = false
sourcetype = syslog
index = efepr
_blacklist = \.(gz)\$

[monitor:///opt/splunk/etc/system/local/inputs.conf]
sourcetype = splunkinputsconf
disabled = false
index = efepr
_blacklist = \.(gz)\$

[monitor:///usr/local/tomcat/logs/catalina.out]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

Tags (1)
0 Karma
Highlighted

Re: inputs.conf error in SplunkForwarder

Ultra Champion

Hi,

Well it looks like there are typos indeed, but not in the line which states "_blacklist".
The main problem is probably with the [tail://] directive. To the best of my knowledge it does not exist. What you probably want is

[monitor://<some_path>]
followTail=1

Also, according to the documentation, _blacklist is still honored, but you should use
blacklist = <regular expression> instead.

Did you explicitly set the [tail://] stanzas? The $SPLUNK_HOME/var/log/splunk/*.log files are normally handled by splunk by default (as can/should be seen in $SPLUNK_HOME/etc/system/default/inputs.conf).

What version are you running? On what platform?

For more information see the official documentation regarding inputs.conf.

http://docs.splunk.com/Documentation/Splunk/4.2.4/Admin/Inputsconf

Hope this helps,

/Kristian