Splunk Search

How are our forwarders working without an Outputs.conf file

Gregski11
Contributor

so recently I went to troubleshoot some servers that were not showing up in our queries and that's when I discovered that the ones that work that actually send their Even Log data to our Indexers they do not have an Outputs.conf file, how can that be? in the etc\system\local that is 

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Gregski11,

if a forwarders sends lohs to indexers it must have an outputs.conf file, maybe not in $SPLUNK_HOME\etc\system\local, but in another location.

It0s usuallt a best practice to put outputs.conf and deploymentclient.conf files not in the above folder but in a dedicated TA ()called e.g. TA_Forwarders) to manage using a Deployment Server, in this way you can easily change or add Indexers or Deployment Server.

You can find the outputs.conf file using btool command by CLI on the Forwarder (https://docs.splunk.com/Documentation/Splunk/8.2.6/Troubleshooting/Usebtooltotroubleshootconfigurati...).

in few words:

./splunk btool outputs list --debug

the output will be the list of all options in all outputs.conf files present in your Forwarder.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Gregski11,

if a forwarders sends lohs to indexers it must have an outputs.conf file, maybe not in $SPLUNK_HOME\etc\system\local, but in another location.

It0s usuallt a best practice to put outputs.conf and deploymentclient.conf files not in the above folder but in a dedicated TA ()called e.g. TA_Forwarders) to manage using a Deployment Server, in this way you can easily change or add Indexers or Deployment Server.

You can find the outputs.conf file using btool command by CLI on the Forwarder (https://docs.splunk.com/Documentation/Splunk/8.2.6/Troubleshooting/Usebtooltotroubleshootconfigurati...).

in few words:

./splunk btool outputs list --debug

the output will be the list of all options in all outputs.conf files present in your Forwarder.

Ciao.

Giuseppe

Gregski11
Contributor

@gcusello wrote:

Hi @Gregski11,

if a forwarders sends lohs to indexers it must have an outputs.conf file, maybe not in $SPLUNK_HOME\etc\system\local, but in another location.

It0s usuallt a best practice to put outputs.conf and deploymentclient.conf files not in the above folder but in a dedicated TA ()called e.g. TA_Forwarders) to manage using a Deployment Server, in this way you can easily change or add Indexers or Deployment Server.

You can find the outputs.conf file using btool command by CLI on the Forwarder (https://docs.splunk.com/Documentation/Splunk/8.2.6/Troubleshooting/Usebtooltotroubleshootconfigurati...).

in few words:

 

 

./splunk btool outputs list --debug

 

 

the output will be the list of all options in all outputs.conf files present in your Forwarder.

Ciao.

Giuseppe


ah, thank you sooooo much looks like they are in the etc\apps folder and subfolders named after our apps, really wish Splunk documentation said this, I followed like 19 of their docs and no mention of this from the forwarder and receiver perspective

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...