Hi folks, we deployed an updated outputs.conf across our enterprise to get the forwarders to report to new index servers. I have a forwarder that according to its own logs, is still reporting to the old indexers. The debug tool says it is configured properly for the new indexers. I have disabled deployment client. I can't find any reference to the old servers anywhere in the config, yet it is still reporting to the old servers after multiple restarts.
If your new outputs.conf is configured in a separate app, check in app.conf whether by any chance it has state = disabled. If it is, comment this line out (or change to state = enabled)
Hey! So, the new inputs.conf was pointing to the wrong addresses for the index servers. I can't figure out how it knew to go to the old servers, but at any rate, now it's going to the new index server and getting an SSL error. Thanks!
I checked that deploymentclient.conf was set to "disabled = true"
yes, the btool
splunk cmd btool outputs --debug list
The forwarders own logs show it connecting to the old server.
The splunk enterprise web interface tool search shows the events that the forwarder is reporting, are reported from the old server.