Re: Error shown as part of props.conf

ppurokit · ‎04-16-2014

Hi All,

Recently i download the "Splunk for F5 Access" app and installed into into my Splunk Box.

Whenever i restart the splunk process I see the following Configuration Warning

Checking filesystem compatibility... Done

            Possible typo in stanza [firepass_log] in /home/splunk/etc/apps/firepass/default/props.conf, line 6: TRANSFORM  =  firepass-host
            There might be typos in your conf files. For more information, run 'splunk btool check --debug'
    Checking conf files for typos...        Done

All preliminary checks passed.

Content of Props.conf:

[firepass_log]
KV_MODE = none
TIME_FORMAT = %b%d%H:%M:%S
TRANSFORM = firepass_host
REPORT-sid = firepass-host,firepass_term_host_prt,firepass_login_src,firepass_failed_valid,firepass_failed_invalid,firepass_sid_full,firepass_sid_full_condensed,firepass_sid,firepass_sid_kv,firepass_access_type,firepass_remote,firepass_intrusion,firepass_app_tunnel_remote_host,firepass_user_domain,firepass_logon_denied

Transforms.conf

[firepass_host]
DEST_KEY = MetaData:Host
REGEX = (\d+\.\d+.\d+.\d+)
FORMAT = host::$1

Can someone please help me here to find whats the issue is ?

linu1988 · ‎04-16-2014

As you see it highlights the part where we have the error in the syntax.

Props.conf requires the Transform- instead only Transform is provided in the setting which is throwing the error during validation. Make it

[firepass_log]
KV_MODE = none
TIME_FORMAT = %b%d%H:%M:%S
TRANSFORMS-firepass = firepass_host

this should fix the error.

linu1988 · ‎04-16-2014

did you restart splunk? it shouldn't find the same error after changing, coz that wouldn't be there at all

ppurokit · ‎04-16-2014

Hi Linu1988,

I tried as you said also. Still have the same problem.

Error shown as part of props.conf

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!