All Apps and Add-ons

Custom Cluster Map Visualization: Why am I getting "Invalid key in stanza [default] in savedsearches.conf" errors?

burwell
SplunkTrust
SplunkTrust

Hello.

I downloaded this app and the default/savedsearches.conf is

# clustermap viz defaults
display.visualizations.custom.viz_clustermap.clustermap.lat = 25.799891182088334
display.visualizations.custom.viz_clustermap.clustermap.lng = -0.52734375
display.visualizations.custom.viz_clustermap.clustermap.zoom = 2
(etc)

When I start Splunk, I get warnings:

Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_clustermap/default/savedsearches.conf, line 2: display.visualizations.custom.viz_clustermap.clustermap.lat  (value:  25.799891182088334).
Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_clustermap/default/savedsearches.conf, line 3: display.visualizations.custom.viz_clustermap.clustermap.lng  (value:  -0.52734375).
Invalid key in stanza [default] in /opt/splunk/etc/apps/viz_clustermap/default/savedsearches.conf, line 4: display.visualizations.custom.viz_clustermap.clustermap.zoom  (value:  2).
(etc)

There is no initial stanza header like [stanzahead]. Is this savedsearches.conf correct?

0 Karma
1 Solution

Masa
Splunk Employee
Splunk Employee

Splunk btool checks spec file in etc/apps/_app_name_/README directory. If those attributes are not listed, when starting Splunk, btool check will generated warning message. I just took a look at the latest version of viz_clustermap app. It contains savedseaerches.conf.spec file.
Can you double-check;
1. Splunk version is 6.4
2. viz_clustermap app is the latest version

If both are correct, please contact the author of app first, then, if that's not app specific, please file a Splunk Support case.

View solution in original post

Masa
Splunk Employee
Splunk Employee

Splunk btool checks spec file in etc/apps/_app_name_/README directory. If those attributes are not listed, when starting Splunk, btool check will generated warning message. I just took a look at the latest version of viz_clustermap app. It contains savedseaerches.conf.spec file.
Can you double-check;
1. Splunk version is 6.4
2. viz_clustermap app is the latest version

If both are correct, please contact the author of app first, then, if that's not app specific, please file a Splunk Support case.

View solution in original post

burwell
SplunkTrust
SplunkTrust

Thanks! You solved the mystery. I have not found that documented anywhere about the savedsearches.conf.spec

That was it! Thanks.

Raghav2384
Motivator

Hello,

I have the exact same configuration on mine and it's working. What version of splunk are you on? It's compatible only with 6.4

# clustermap viz defaults
display.visualizations.custom.viz_clustermap.clustermap.lat = 25.799891182088334
display.visualizations.custom.viz_clustermap.clustermap.lng = -0.52734375
display.visualizations.custom.viz_clustermap.clustermap.zoom = 2
display.visualizations.custom.viz_clustermap.clustermap.tiles = light
display.visualizations.custom.viz_clustermap.clustermap.maxClusters = 120
display.visualizations.custom.viz_clustermap.clustermap.markerColor1 = #008cff
display.visualizations.custom.viz_clustermap.clustermap.markerColor2 = #ffbf00
display.visualizations.custom.viz_clustermap.clustermap.markerColor3 = #ff0000
display.visualizations.custom.viz_clustermap.clustermap.markerColor4 = #ff00ed
display.visualizations.custom.viz_clustermap.clustermap.numberFormat_min_0 = 0.[0]
display.visualizations.custom.viz_clustermap.clustermap.numberFormat_min_1000 = 1.1a
display.visualizations.custom.viz_clustermap.clustermap.numberFormat_min_10000 = 1a
display.visualizations.custom.viz_clustermap.clustermap.numberFormat_min_1000000 = 1.1a

Can you try a fresh install from GUI or CLI whichever method you haven't used before?

Thanks,
Raghav

0 Karma

lycollicott
Motivator

Hmm, I thought that you needed to add [default], but that wasn't true for me when I installed that app on my sandbox a few minutes ago.

In fact, I get absolutely no warning or errors from that savedsearches.conf file.

0 Karma

burwell
SplunkTrust
SplunkTrust

Yeah it isn't the Windows/Unix file format issue.

I am running

Splunk Version 6.4.2
Splunk Build 00f5bb3fa822

I put just one line in savedsearches.conf and get the same error. It is puzzling.

0 Karma

lycollicott
Motivator

I even copied and pasted your 3 configuration lines over the top of those same lines in my file, but they worked.

Do you have a hidden character somewhere in those files? Maybe from the old Windows-file-copied-to-Unix problem?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!