All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Error shown as part of props.conf

ppurokit
Path Finder
‎04-16-2014 11:29 AM

Hi All,

Recently i download the "Splunk for F5 Access" app and installed into into my Splunk Box.

Whenever i restart the splunk process I see the following Configuration Warning

Checking filesystem compatibility... Done

            Possible typo in stanza [firepass_log] in /home/splunk/etc/apps/firepass/default/props.conf, line 6: TRANSFORM  =  firepass-host
            There might be typos in your conf files. For more information, run 'splunk btool check --debug'
    Checking conf files for typos...        Done

All preliminary checks passed.

Content of Props.conf:

[firepass_log]
KV_MODE = none
TIME_FORMAT = %b%d%H:%M:%S
TRANSFORM = firepass_host
REPORT-sid = firepass-host,firepass_term_host_prt,firepass_login_src,firepass_failed_valid,firepass_failed_invalid,firepass_sid_full,firepass_sid_full_condensed,firepass_sid,firepass_sid_kv,firepass_access_type,firepass_remote,firepass_intrusion,firepass_app_tunnel_remote_host,firepass_user_domain,firepass_logon_denied

Transforms.conf

[firepass_host]
DEST_KEY = MetaData:Host
REGEX = (\d+\.\d+.\d+.\d+)
FORMAT = host::$1

Can someone please help me here to find whats the issue is ?

0 Karma
Reply

linu1988
Champion
‎04-16-2014 01:06 PM

As you see it highlights the part where we have the error in the syntax.

Props.conf requires the Transform- instead only Transform is provided in the setting which is throwing the error during validation. Make it 

[firepass_log]
KV_MODE = none
TIME_FORMAT = %b%d%H:%M:%S
TRANSFORMS-firepass = firepass_host

this should fix the error.

Reply

linu1988
Champion
‎04-16-2014 11:20 PM

did you restart splunk? it shouldn't find the same error after changing, coz that wouldn't be there at all

0 Karma
Reply

ppurokit
Path Finder
‎04-16-2014 11:00 PM

Hi Linu1988,

I tried as you said also. Still have the same problem.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...