Re: Why does Universal Forwarders complain about m...

vgrote · ‎01-19-2023

Running the Customer Success Toolkit's error report I noticed a warning on lots of Universal Forwarders that doesn't make sense to me:

19.01.23 10:49:53,614

01-19-2023 10:49:53.614 +0100 WARN UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts

host = Unix Box
source = /opt/forwarder/data/var/log/splunk/splunkd.log
sourcetype = splunkd

19.01.23 10:33:28,659

01-19-2023 10:33:28.659 +0100 WARN UserManagerPro - Can't find [distributedSearch] stanza in distsearch.conf, using default authtoken HTTP timeouts

host = Windows Box
source = C:\Program Files\Splunk\UniversalForwarder\var\log\splunk\splunkd.log
sourcetype = splunkd

Our Universal Forwarders have no distsearch.conf.

Any idea why this is reported?

And how to turn it off? We already have enough noise in our data.

Thanks in advance

Volkmar

Mahadev_Nanda · ‎01-21-2023

Hi @vgrote ,

Have you checked this https://community.splunk.com/t5/Getting-Data-In/Unable-to-find-distsearch-conf-file-on-my-system-and.... I’m not 100 sure, but looks like it may help.

Thank You

PaulPanther · ‎01-19-2023

@vgrote It is a useless Warning for UniversalForwarder. As a workaround to get rid of these log messages you could roll out a distsearch.conf file that contains only the stanza

[distributedSearch]

Why does Universal Forwarders complain about missing stanza [distributedSearch] in distsearch.conf?

distributed search

other

search performance

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases