interesting. the logs from the original host has a connection and some errors, the same messages in the hosts i cant find logs in my search engine. thanks for any pointers. log snippet of the guy working: 03-24-2022 10:46:00.977 -0500 INFO TcpOutputProc - Found currently active indexer. Connected to idx=10.21.20.29:9997, reuse=1. 03-24-2022 10:46:04.626 -0500 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/lastlog.sh" /bin/sh: /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/lastlog.sh: Permission denied 03-24-2022 10:46:09.488 -0500 INFO ChunkedLBProcessor - Failed to find EVENT_BREAKER regex in props.conf for sourcetype::linux_secure. Reverting to the default EVENT_BREAKER regex for now. 03-24-2022 10:46:14.012 -0500 INFO ChunkedLBProcessor - Failed to find EVENT_BREAKER regex in props.conf for sourcetype::syslog. Reverting to the default EVENT_BREAKER regex for now. 03-24-2022 10:46:24.910 -0500 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/rlog.sh" /bin/sh: /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/rlog.sh: Permission denied 03-24-2022 10:46:30.907 -0500 INFO TcpOutputProc - Found currently active indexer. Connected to idx=10.21.20.29:9997, reuse=1. log snippet of guy not working: 03-24-2022 10:44:53.096 -0500 INFO TcpOutputProc - Found currently active indexer. Connected to idx=10.21.20.29:9997, reuse=1. 03-24-2022 10:44:57.012 -0500 INFO ChunkedLBProcessor - Failed to find EVENT_BREAKER regex in props.conf for sourcetype::syslog. Reverting to the default EVENT_BREAKER regex for now. 03-24-2022 10:44:57.014 -0500 INFO ChunkedLBProcessor - Failed to find EVENT_BREAKER regex in props.conf for sourcetype::syslog. Reverting to the default EVENT_BREAKER regex for now. 03-24-2022 10:45:07.035 -0500 INFO ChunkedLBProcessor - Failed to find EVENT_BREAKER regex in props.conf for sourcetype::syslog. Reverting to the default EVENT_BREAKER regex for now. 03-24-2022 10:45:07.038 -0500 INFO ChunkedLBProcessor - Failed to find EVENT_BREAKER regex in props.conf for sourcetype::syslog. Reverting to the default EVENT_BREAKER regex for now. 03-24-2022 10:45:22.933 -0500 INFO TcpOutputProc - Found currently active indexer. Connected to idx=10.21.20.29:9997, reuse=1. 03-24-2022 10:45:25.054 -0500 INFO ChunkedLBProcessor - Failed to find EVENT_BREAKER regex in props.conf for sourcetype::syslog. Reverting to the default EVENT_BREAKER regex for now. 03-24-2022 10:45:25.059 -0500 INFO ChunkedLBProcessor - Failed to find EVENT_BREAKER regex in props.conf for sourcetype::syslog. Reverting to the default EVENT_BREAKER regex for now. 03-24-2022 10:45:33.523 -0500 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/rlog.sh" /bin/sh: /opt/splunkforwarder/etc/apps/Splunk_TA_nix/bin/rlog.sh: Per mission denied 03-24-2022 10:45:35.088 -0500 INFO ChunkedLBProcessor - Failed to find EVENT_BREAKER regex in props.conf for sourcetype::syslog. Reverting to the default EVENT_BREAKER regex for now. [root@rjbandwpoc2 splunk]# ... View more

Thanks for the suggestions, but still no dice. I changed the inputs.conf file to use the new host name and restarted. i used splunk btool inputs list --debug on the original host and the one i cloned to. the only diff was the host name which is good. < /opt/splunkforwarder/etc/system/local/inputs.conf host = rjbandwpoc2 --- > /opt/splunkforwarder/etc/system/local/inputs.conf host = rjbandwdev01 I am getting double-crossed somewhere else. the floor is official open for suggestions.. ... View more