Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

inputs.conf error in SplunkForwarder

zservati1
New Member
‎10-25-2011 12:37 PM

I have updated the inputs.conf under /opt/splunkforwarder/etc/system/local, but after restarting splunk I'm getting the following error which is related to syntax issue in some of _blacklists statement, but not all of the _blacklist statements have issue only some which is weird because they all have do the same format.

[root@pprfefpba400 local]# /etc/init.d/splunk restart
Restarting Splunk...
Stopping splunkd...
Shutting down. Please wait, as this may take a few [ OK ]
Stopping splunk helpers... [ OK ]
Splunk> The IT Search Engine.
Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for typos...
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/searchhistory.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 6: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/splunkd.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 11: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/splunklogger.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 16: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/web_access.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 21: _blacklist = \.(gz)\$
Possible typo in stanza [tail:///opt/splunk/var/log/splunk/web_service.log] in /opt/splunkforwarder/etc/system/local/inputs.conf, line 26: _blacklist = \.(gz)\$
There might be typos in your conf files. For more information, run 'splunk btool check --debug'
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
[ OK ]
Here is a copy of inputs.conf
host = $web_server

[tail:///opt/splunk/var/log/splunk/searchhistory.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/splunkd.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/splunklogger.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/web_access.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[tail:///opt/splunk/var/log/splunk/web_service.log]
disabled = true
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/audit.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$
[monitor:///var/log/efe/boot.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/cluster.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/converter.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/disaster-recovery/disaster-recovery.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/filer-denied.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/server.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/clockSkew.log]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/efe/etxbridge.log]
disabled = true
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

[monitor:///var/log/messages]
disabled = false
sourcetype = syslog
index = efepr
_blacklist = \.(gz)\$

[monitor:///opt/splunk/etc/system/local/inputs.conf]
sourcetype = splunk_inputs_conf
disabled = false
index = efepr
_blacklist = \.(gz)\$

[monitor:///usr/local/tomcat/logs/catalina.out]
disabled = false
sourcetype = log4j
index = efepr
_blacklist = \.(gz)\$

Tags (1)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎10-25-2011 01:07 PM

Hi,

Well it looks like there are typos indeed, but not in the line which states "_blacklist".
The main problem is probably with the [tail://] directive. To the best of my knowledge it does not exist. What you probably want is 

[monitor://<some_path>]
followTail=1

Also, according to the documentation, _blacklist is still honored, but you should use
blacklist = <regular expression> instead.

Did you explicitly set the [tail://] stanzas? The $SPLUNK_HOME/var/log/splunk/*.log files are normally handled by splunk by default (as can/should be seen in $SPLUNK_HOME/etc/system/default/inputs.conf).

What version are you running? On what platform?

For more information see the official documentation regarding inputs.conf.

http://docs.splunk.com/Documentation/Splunk/4.2.4/Admin/Inputsconf

Hope this helps,

/Kristian

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...