new outputs.conf, debug shows new server, forwarde...

cjc_spladmin · ‎06-24-2020

Hi folks, we deployed an updated outputs.conf across our enterprise to get the forwarders to report to new index servers. I have a forwarder that according to its own logs, is still reporting to the old indexers. The debug tool says it is configured properly for the new indexers. I have disabled deployment client. I can't find any reference to the old servers anywhere in the config, yet it is still reporting to the old servers after multiple restarts.

ilya_resh · ‎06-24-2020

If your new outputs.conf is configured in a separate app, check in app.conf whether by any chance it has state = disabled. If it is, comment this line out (or change to state = enabled)

cjc_spladmin · ‎06-24-2020

Hey! So, the new inputs.conf was pointing to the wrong addresses for the index servers. I can't figure out how it knew to go to the old servers, but at any rate, now it's going to the new index server and getting an SSL error. Thanks!

richgalloway · ‎06-24-2020

By "debug tool" do you mean btool?
What do you mean by "disabled deployment client"?
When you search for the forwarders logs on a SH, does the splunk_server field show the new indexer(s) or old?

---
If this reply helps you, Karma would be appreciated.

cjc_spladmin · ‎06-24-2020

I checked that deploymentclient.conf was set to "disabled = true"

yes, the btool

splunk cmd btool outputs --debug list

The forwarders own logs show it connecting to the old server.

The splunk enterprise web interface tool search shows the events that the forwarder is reporting, are reported from the old server.

new outputs.conf, debug shows new server, forwarder still going to the old server

Linux

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!