Configuring Internal Log Forwarding  1- 1sh 2 indx 2 if and 4 uf 1 mc 2- I can see only idx internal logs though I have configured correctly the Updated the server list under the [tcpout:primary_indexers] stanza in outputs.conf 3- what could be the issues with these simple setup not being to see the internal logs of the sh, idx, mc and if Base Config output.conf # BASE SETTINGS [tcpout] defaultGroup = primary_indexers # When indexing a large continuous file that grows very large, a universal # or light forwarder may become "stuck" on one indexer, trying to reach # EOF before being able to switch to another indexer. The symptoms of this # are congestion on *one* indexer in the pool while others seem idle, and # possibly uneven loading of the disk usage for the target index. # In this instance, forceTimebasedAutoLB can help! # ** Do not enable if you have events > 64kB ** # Use with caution, can cause broken events #forceTimebasedAutoLB = true # Correct an issue with the default outputs.conf for the Universal Forwarder # or the SplunkLightForwarder app; these don't forward _internal events. # 3/6/21 only required for versions prior to current supported forwarders. # Check forwardedindex.2.whitelist in system/default config to verify #forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent) [tcpout:primary_indexers] server = server_one:9997, server_two:9997 # If you do not have two (or more) indexers, you must use the single stanza # configuration, which looks like this: #[tcpout-server://<ipaddress_or_servername>:<port>] # <attribute1> = <val1>   # If setting compressed=true, this must also be set on the indexer. # compressed = true # INDEXER DISCOVERY (ASK THE CLUSTER MANAGER WHERE THE INDEXERS ARE) # This particular setting identifies the tag to use for talking to the # specific cluster manager, like the "primary_indexers" group tag here. # indexerDiscovery = clustered_indexers # It's OK to have a tcpout group like the one above *with* a server list; # these will act as a seed until communication with the manager can be # established, so it's a good idea to have at least a couple of indexers # listed in the tcpout group above. # [indexer_discovery:clustered_indexers] # pass4SymmKey = <MUST_MATCH_MANAGER> # This must include protocol and port like the example below. # manager_uri = https://manager.example.com:8089 # SSL SETTINGS # sslCertPath = $SPLUNK_HOME/etc/auth/server.pem # sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem # sslPassword = password # sslVerifyServerCert = true # COMMON NAME CHECKING - NEED ONE STANZA PER INDEXER # The same certificate can be used across all of them, but the configuration # here requires these settings to be per-indexer, so the same block of # configuration would have to be repeated for each. # [tcpout-server://10.1.12.112:9997] # sslCertPath = $SPLUNK_HOME/etc/certs/myServerCertificate.pem # sslRootCAPath = $SPLUNK_HOME/etc/certs/myCAPublicCertificate.pem # sslPassword = server_privkey_password # sslVerifyServerCert = true # sslCommonNameToCheck = servername # sslAltNameToCheck = servername Thanks for your time! ... View more

what does indicates   06-19-2025 11:09:33.046 +0000 ERROR AesGcm [65605 MainThread] - Text decryption - error in finalizing: No errors in queue 06-19-2025 11:09:33.046 +0000 ERROR AesGcm [65605 MainThread] - AES-GCM Decryption failed! 06-19-2025 11:09:33.047 +0000 ERROR Crypto [65605 MainThread] - Decryption operation failed: AES-GCM Decryption failed! 06-19-2025 11:09:33.081 +0000 ERROR AesGcm [65605 MainThread] - Text decryption - error in finalizing: No errors in queue 06-19-2025 11:09:33.081 +0000 ERROR AesGcm [65605 MainThread] - AES-GCM Decryption failed! 06-19-2025 11:09:33.081 +0000 ERROR Crypto [65605 MainThread] - Decryption operation failed: AES-GCM Decryption failed! ... View more

why this issues I was trying to upgrade the splunk enterprise  Checking prerequisites...         Checking http port [8000]: open         Checking mgmt port [8089]: open         Checking appserver port [127.0.0.1:8065]: open         Checking kvstore port [8191]: open         Checking configuration... Done.         Checking critical directories...        Done         Checking indexes...                 Validated: _audit _configtracker _dsappevent _dsclient _dsphonehome _internal _introspection _metrics _metrics_rollup _telemetry _thefishbucket history main summary         Done     Bypassing local license checks since this instance is configured with a remote license master.           Checking filesystem compatibility...  Done         Checking conf files for problems...                 Invalid key in stanza [email] in /opt/splunk/etc/apps/search/local/alert_actions.conf, line 2: show_password (value: True).                 Invalid key in stanza [cloud] in /opt/splunk/etc/apps/splunk_assist/default/assist.conf, line 14: http_client_timout_seconds (value: 30).                 Invalid key in stanza [setup] in /opt/splunk/etc/apps/splunk_secure_gateway/default/securegateway.conf, line 16: cluster_monitor_interval (value: 300).                 Invalid key in stanza [setup] in /opt/splunk/etc/apps/splunk_secure_gateway/default/securegateway.conf, line 20: cluster_mode_enabled (value: false).                 Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'         Done         Checking default conf files for edits...         Validating installed files against hashes from '/opt/splunk/splunk-9.3.4-30e72d3fb5f7-linux-2.6-x86_64-manifest'         All installed files intact.         Done All preliminary checks passed.   Starting splunk server daemon (splunkd)... PYTHONHTTPSVERIFY is set to 0 in splunk-launch.conf disabling certificate validation for the httplib and urllib libraries shipped with the embedded Python interpreter; must be set to "1" for increased security Done     Waiting for web server at https://127.0.0.1:8000 to be available.............splunkd 261927 was not running. Stopping splunk helpers...   Done. Stopped helpers. Removing stale pid file... done.     WARNING: web interface does not seem to be available! ... View more