All Apps and Add-ons

Custom Cluster Map Visualization: Why am I getting "Invalid key in stanza [default] in savedsearches.conf" errors?

burwell
SplunkTrust
SplunkTrust

Hello.

I downloaded this app and the default/savedsearches.conf is

# clustermap viz defaults
display.visualizations.custom.viz_clustermap.clustermap.lat = 25.799891182088334
display.visualizations.custom.viz_clustermap.clustermap.lng = -0.52734375
display.visualizations.custom.viz_clustermap.clustermap.zoom = 2
(etc)

When I start Splunk, I get warnings:

Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_clustermap/default/savedsearches.conf, line 2: display.visualizations.custom.viz_clustermap.clustermap.lat  (value:  25.799891182088334).
Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_clustermap/default/savedsearches.conf, line 3: display.visualizations.custom.viz_clustermap.clustermap.lng  (value:  -0.52734375).
Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_clustermap/default/savedsearches.conf, line 4: display.visualizations.custom.viz_clustermap.clustermap.zoom  (value:  2).
(etc)

There is no initial stanza header like [stanzahead]. Is this savedsearches.conf correct?

0 Karma
1 Solution

Masa
Splunk Employee
Splunk Employee

Splunk btool checks spec file in etc/apps/_app_name_/README directory. If those attributes are not listed, when starting Splunk, btool check will generated warning message. I just took a look at the latest version of viz_clustermap app. It contains savedseaerches.conf.spec file.
Can you double-check;
1. Splunk version is 6.4
2. viz_clustermap app is the latest version

If both are correct, please contact the author of app first, then, if that's not app specific, please file a Splunk Support case.

View solution in original post

Masa
Splunk Employee
Splunk Employee

Splunk btool checks spec file in etc/apps/_app_name_/README directory. If those attributes are not listed, when starting Splunk, btool check will generated warning message. I just took a look at the latest version of viz_clustermap app. It contains savedseaerches.conf.spec file.
Can you double-check;
1. Splunk version is 6.4
2. viz_clustermap app is the latest version

If both are correct, please contact the author of app first, then, if that's not app specific, please file a Splunk Support case.

burwell
SplunkTrust
SplunkTrust

Thanks! You solved the mystery. I have not found that documented anywhere about the savedsearches.conf.spec

That was it! Thanks.

Raghav2384
Motivator

Hello,

I have the exact same configuration on mine and it's working. What version of splunk are you on? It's compatible only with 6.4

# clustermap viz defaults
display.visualizations.custom.viz_clustermap.clustermap.lat = 25.799891182088334
display.visualizations.custom.viz_clustermap.clustermap.lng = -0.52734375
display.visualizations.custom.viz_clustermap.clustermap.zoom = 2
display.visualizations.custom.viz_clustermap.clustermap.tiles = light
display.visualizations.custom.viz_clustermap.clustermap.maxClusters = 120
display.visualizations.custom.viz_clustermap.clustermap.markerColor1 = #008cff
display.visualizations.custom.viz_clustermap.clustermap.markerColor2 = #ffbf00
display.visualizations.custom.viz_clustermap.clustermap.markerColor3 = #ff0000
display.visualizations.custom.viz_clustermap.clustermap.markerColor4 = #ff00ed
display.visualizations.custom.viz_clustermap.clustermap.numberFormat_min_0 = 0.[0]
display.visualizations.custom.viz_clustermap.clustermap.numberFormat_min_1000 = 1.1a
display.visualizations.custom.viz_clustermap.clustermap.numberFormat_min_10000 = 1a
display.visualizations.custom.viz_clustermap.clustermap.numberFormat_min_1000000 = 1.1a

Can you try a fresh install from GUI or CLI whichever method you haven't used before?

Thanks,
Raghav

0 Karma

lycollicott
Motivator

Hmm, I thought that you needed to add [default], but that wasn't true for me when I installed that app on my sandbox a few minutes ago.

In fact, I get absolutely no warning or errors from that savedsearches.conf file.

0 Karma

burwell
SplunkTrust
SplunkTrust

Yeah it isn't the Windows/Unix file format issue.

I am running

Splunk Version 6.4.2
Splunk Build 00f5bb3fa822

I put just one line in savedsearches.conf and get the same error. It is puzzling.

0 Karma

lycollicott
Motivator

I even copied and pasted your 3 configuration lines over the top of those same lines in my file, but they worked.

Do you have a hidden character somewhere in those files? Maybe from the old Windows-file-copied-to-Unix problem?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...