I got a strange error as:
Checking conf files for typos... Possible typo in stanza [indexAndForward] in /opt/splunk/etc/apps/linuxForwarder_output/default/outputs.conf, line 8: selectiveIndexing = true There might be typos in your conf files. For more information, run 'splunk btool check --debug'
and my outputs.conf is
defaultGroup = noforward
Can you show me why ? i just only copied the word and it seems not to have any erro
The configurations typo check is compared to the spec files stored in system/README, example for outputs.conf
I checked the spec and the parameter "selectiveIndexing" is not listed. While it is mentioned on the documentation there : http://docs.splunk.com/Documentation/Splunk/4.3.4/Deploy/Routeandfilterdatad
It may be an obscure missing parameter in the spec, or a mistake in the docs, let me open a bug to find out.
Except the typo warning, is your configuration working ?
all the configuration worked, the data go from another Universal Forwarder to that machine is transfered to indexer01 and indexer02. But the local input data that i used in inputs.conf:
TCPROUTING = indexer01
it doesn't be sent to indexer01
that all what i want to say
@sieutruc, I don't see anything outright. You could have a char outside the standard unicode table causing Splunk to choke. Also have you edited your inputs.conf to have explicity target groups, but I am guessing you are not getting that far.
I would try using:
./splunk cmd btool check -dir=/opt/splunk/etc/apps/linuxForwarderoutput/default outputs --debug
./splunk cmd btool dir=/opt/splunk/etc/apps/linuxForwarderoutput/default outputs list --debug
This might help display where exactly.
Note: btool is not tested by Splunk and is not officially supported or guaranteed. That said, it's what our Support team uses when trying to troubleshoot your issues.
Hope this helps.
Yes, i did. I configured the inputs.conf to have explicit target groups. I let all configuration file in my office. In fact, i don't understand why it caused an error. I see it run in splunkd log, but without sending externally or locally indexing.
I used winscp edit tool that runs fine until now, just only this time got a problem.
Maybe i'll contact Splunk support if it doesn't work