Solved: Re: what is this typos in outputs.conf ?

sieutruc · ‎09-27-2012

Hello

I got a strange error as:

Checking conf files for typos...
Possible typo in stanza [indexAndForward] in /opt/splunk/etc/apps/linuxForwarder_output/default/outputs.conf, line 8: selectiveIndexing = true
There might be typos in your conf files. For more information, run 'splunk btool check --debug'

and my outputs.conf is



[tcpout]

defaultGroup = noforward

disabled=false

[indexAndForward]

index=true

selectiveIndexing=true

[tcpout:indexer01]

server=178.17.0.46:9997

[tcpout:indexer02]

server=178.17.0.47:9997

Can you show me why ? i just only copied the word and it seems not to have any erro

yannK · ‎09-27-2012

The configurations typo check is compared to the spec files stored in system/README, example for outputs.conf
$SPLUNK_HOME/etc/system/README/outputs.conf.spec

I checked the spec and the parameter "selectiveIndexing" is not listed. While it is mentioned on the documentation there : http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Routeandfilterdatad
It may be an obscure missing parameter in the spec, or a mistake in the docs, let me open a bug to find out.

Except the typo warning, is your configuration working ?

View solution in original post

bmacias84 · ‎09-27-2012

@sieutruc, I don't see anything outright. You could have a char outside the standard unicode table causing Splunk to choke. Also have you edited your inputs.conf to have explicity target groups, but I am guessing you are not getting that far.

I would try using:



./splunk cmd btool check -dir=/opt/splunk/etc/apps/linuxForwarder_output/default outputs --debug



./splunk cmd btool dir=/opt/splunk/etc/apps/linuxForwarder_output/default outputs list --debug

This might help display where exactly.

Usebtooltotroubleshootconfigurations

Note: btool is not tested by Splunk and is not officially supported or guaranteed. That said, it's what our Support team uses when trying to troubleshoot your issues.

Hope this helps.

sieutruc · ‎09-27-2012

Yes, i did. I configured the inputs.conf to have explicit target groups. I let all configuration file in my office. In fact, i don't understand why it caused an error. I see it run in splunkd log, but without sending externally or locally indexing.
I used winscp edit tool that runs fine until now, just only this time got a problem.
Maybe i'll contact Splunk support if it doesn't work

yannK · ‎09-27-2012

The configurations typo check is compared to the spec files stored in system/README, example for outputs.conf
$SPLUNK_HOME/etc/system/README/outputs.conf.spec

I checked the spec and the parameter "selectiveIndexing" is not listed. While it is mentioned on the documentation there : http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Routeandfilterdatad
It may be an obscure missing parameter in the spec, or a mistake in the docs, let me open a bug to find out.

Except the typo warning, is your configuration working ?

sieutruc · ‎10-01-2012

So what should i do now ? do i need to update Splunk instance ?

yannK · ‎09-27-2012

I confirm this seems to be a bug in 4.3.*, the ref is SPL-55915

sieutruc · ‎09-27-2012

all the configuration worked, the data go from another Universal Forwarder to that machine is transfered to indexer01 and indexer02. But the local input data that i used in inputs.conf:
[inputdata]
_TCP_ROUTING = indexer01
it doesn't be sent to indexer01
that all what i want to say

what is this typos in outputs.conf ?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?