Splunk Enterprise

How to solve this problem >Missing or malformed messages.conf stanza for TCPOUT:FORWARDING_BLOCKED___default-autolb-grou

idris_tester
Explorer

Hi everybody !

 

How to solve this problem

 

>Missing or malformed messages.conf stanza for TCPOUT:FORWARDING_BLOCKED___default-autolb-group_DESKTOP-MOUI7DHDF_10

 

Cuplikan layar 2025-08-15 104009.png

 

This prevents me from accessing the user and roles list page as an administrator, so I cannot invite new users.

 

Idris,

Thanks

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @idris_tester 

I don’t think this issue is preventing you from adding users. Does this instance have a Free license applied? The free license has limitations including no user management (see https://help.splunk.com/en/data-management/splunk-enterprise-admin-manual/9.2/configure-splunk-licenses/about-splunk-free )

 

 

🌟 Did this answer help you? If so, please consider:

    • Adding karma to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

idris_tester
Explorer

Hi @livehybrid , Thank you for your explanation. It seems that the cause is that the enterprise version I downloaded is a free license version. However, how can I upgrade it so that I can invite new users? I was invited to join the Splunk Private Bug Bounty program, and I need an account and license that can invite new users to test the website and API path. Thanks, Idris

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @idris_tester 

You should probably speak to the bounty program team to get a license provided, or see if you can change it to Trial license at https://yourSplunkInstance/en-US/manager/system/licensing

In order to access all the Splunk features you will need a full license. There are other license types available - see https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/TypesofSplunklicenses for more info and check out https://www.splunk.com/en_us/resources/personalized-dev-test-licenses/faq.html?locale=en_us for FAQs - However I think these dev/test licenses require a production paid license too. 

I think the best approach here is to speak to the people running the bounty program and see if they can provide you a proper license.

Also - you are running this locally (127.0.0.1) - Are your users able to access your server on a local IP?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma

idris_tester
Explorer

Hi @livehybrid ,


Thank you for your helpful answers.

How do I change access from local (127.0.0.1) to public or non-local? Initially, I was able to invite new members (second account) and then access the second account through a different browser, and it had been working for two days, but this morning, the user feature access suddenly disappeared.

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Check if your configuration contains errors.

/path/to/splunk btool check

 The messages.conf settings should not prevent you from loading the roles/users management sections of the ui however.

In what way it "prevents" you from adding users?

0 Karma

idris_tester
Explorer

Hi @PickleRick ,

Sorry, I don't quite understand what you mean, but this is what happens in my localhost browser. Can you help me fix it?

 

Thanks,

Idris

0 Karma

PrewinThomas
Motivator

@idris_tester 
-Can you check your outputs.conf for any invalid entries or missing config's.

-Check for any blocked errors highlighted in $SPLUNK_HOME/var/log/splunk/splunkd.log

Also check for any configuration conflicts or missing settings

$SPLUNK_HOME/bin/splunk btool outputs list --debug

 

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

idris_tester
Explorer

Hi @PrewinThomas 

 

I don't know how to check outputs.conf for invalid entries on my device. Could you please help provide some steps that will help me a lot, I will appreciate it.

 

Thanks,

Idris

0 Karma

PrewinThomas
Motivator

@idris_tester 

No problem. Could you please share your basic architecture setup? Is it an All-In-One deployment?

Also, please run the command below on your Heavy Forwarder or All-In-One instance and provide the output (remember to mask any sensitive information).

$SPLUNK_HOME/bin/splunk btool outputs list --debug

 

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

 

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...