All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to clear up eventgen.conf "Invalid key in stanza" errors after installing the Splunk Add-on for Microsoft Windows on Linux indexers?

banderson7
Communicator
‎07-19-2016 05:36 AM

Version 6.4 of Splunk Enterprise on my linux indexers, after I install the latest Splunk_TA_windows on it I get the following messages. How do I clean this up?:

               Invalid key in stanza [windowsevent] in /opt/splunk_ind/etc/apps/search/local/props.conf, line 70: regex  (value:  ^(?:[^,\n]*,){3}\s+\w+="(?P<FQDN>[^"]+)(?:[^"\n]*"){2}(?P<OScode>[^"]+)[^=\n]*="(?P<Logfile>[^"]+)[^,\n]*,\s+\w+=(?P<EventCode>[^,]+)[^=\n]*=(?P<EventType>[^,]+)[^=\n]*="(?P<SourceName>[^"]+)(?:[^"\n]*"){2}(?P<Message>[^"]+)).
                Invalid key in stanza [sample.DhcpSrvLog] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 5: index  (value:  windows).
                Invalid key in stanza [sample.DhcpSrvLog] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 6: source (value: c:\windows\system32\dhcp\dhcpsrvlog.log).
                Invalid key in stanza [sample.DhcpSrvLog] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 7: sourcetype  (value:  DhcpSrvLog).
                Invalid key in stanza [.*\.WindowsUpdateLog] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 21: index  (value:  windows).
                Invalid key in stanza [.*\.WindowsUpdateLog] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 22: source  (value:  WindowsUpdateLog).
                Invalid key in stanza [.*\.WindowsUpdateLog] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 23: sourcetype  (value:  WindowsUpdateLog).
                Invalid key in stanza [WindowsUpdateClient.19.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 37: index  (value:  windows).
                Invalid key in stanza [WindowsUpdateClient.19.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 38: source  (value:  WindowsUpdateLog).
                Invalid key in stanza [WindowsUpdateClient.19.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 39: sourcetype  (value:  WindowsUpdateLog).
                Invalid key in stanza [sample.win_listening_ports] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 51: index  (value:  windows).
                Invalid key in stanza [sample.win_listening_ports] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 52: source  (value:  Script:ListeningPorts).
                Invalid key in stanza [sample.win_listening_ports] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 53: sourcetype  (value:  Script:ListeningPorts).
                Invalid key in stanza [sample.win_installed_apps] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 82: index  (value:  windows).
                Invalid key in stanza [sample.win_installed_apps] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 83: source  (value:  Script:InstalledApps).
                Invalid key in stanza [sample.win_installed_apps] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 84: sourcetype  (value:  Script:InstalledApps).
                Invalid key in stanza [.*\.monitorware] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 99: index  (value:  main).
                Invalid key in stanza [.*\.monitorware] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 100: source  (value:  MonitorWare:Security).
                Invalid key in stanza [.*\.monitorware] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 101: sourcetype  (value:  MonitorWare:Security).
                Invalid key in stanza [.*\.ntsyslog] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 145: index  (value:  main).
                Invalid key in stanza [.*\.ntsyslog] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 146: source  (value:  NTSyslog:Security).
                Invalid key in stanza [.*\.ntsyslog] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 147: sourcetype  (value:  NTSyslog:Security).
                Invalid key in stanza [.*\.perfmon] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 161: index  (value:  perfmon).
                Invalid key in stanza [CPUTime.perfmon] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 174: index  (value:  perfmon).
                Invalid key in stanza [CPUTime.perfmon] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 175: source  (value:  Perfmon:CPU).
                Invalid key in stanza [CPUTime.perfmon] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 176: sourcetype  (value:  Perfmon:CPU).
                Invalid key in stanza [FreeDiskSpace.perfmon] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 189: index  (value:  perfmon).
                Invalid key in stanza [FreeDiskSpace.perfmon] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 190: source  (value:  Perfmon:FreeDiskSpace).
                Invalid key in stanza [FreeDiskSpace.perfmon] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 191: sourcetype  (value:  Perfmon:FreeDiskSpace).
                Invalid key in stanza [Memory.perfmon] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 204: source  (value:  Perfmon:Memory).
                Invalid key in stanza [Memory.perfmon] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 205: sourcetype  (value:  Perfmon:Memory).
                Invalid key in stanza [LocalNetwork.perfmon] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 210: source  (value:  Perfmon:LocalNetwork).
                Invalid key in stanza [LocalNetwork.perfmon] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 211: sourcetype  (value:  Perfmon:LocalNetwork).
                Invalid key in stanza [.*\.snare] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 217: index  (value:  wineventlog).
                Invalid key in stanza [.*\.snare] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 218: source  (value:  WinEventLog:Security).
                Invalid key in stanza [.*\.snare] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 219: sourcetype  (value:  WinEventLog:Security).
                Invalid key in stanza [.*\.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 263: index  (value:  wineventlog).
                Invalid key in stanza [SCM.7036.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 292: index  (value:  wineventlog).
                Invalid key in stanza [SCM.7036.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 293: source  (value:  WinEventLog:System).
                Invalid key in stanza [SCM.7036.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 294: sourcetype  (value:  WinEventLog:System).
                Invalid key in stanza [LSASRV.40961.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 297: index  (value:  wineventlog).
                Invalid key in stanza [LSASRV.40961.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 298: source  (value:  WinEventLog:System).
                Invalid key in stanza [LSASRV.40961.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 299: sourcetype  (value:  WinEventLog:System).
                Invalid key in stanza [AppPopup.26.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 302: index  (value:  wineventlog).
                Invalid key in stanza [AppPopup.26.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 303: source  (value:  WinEventLog:System).
                Invalid key in stanza [AppPopup.26.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 304: sourcetype  (value:  WinEventLog:System).
                Invalid key in stanza [W32Time\.[0-9]*\.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 307: index  (value:  wineventlog).
                Invalid key in stanza [W32Time\.[0-9]*\.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 308: source  (value:  WinEventLog:System).
                Invalid key in stanza [W32Time\.[0-9]*\.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 309: sourcetype  (value:  WinEventLog:System).
                Invalid key in stanza [Security\.[0-9]*\.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 312: index  (value:  wineventlog).
                Invalid key in stanza [Security\.[0-9]*\.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 313: source  (value:  WinEventLog:Security).
                Invalid key in stanza [Security\.[0-9]*\.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 314: sourcetype  (value:  WinEventLog:Security).
                Invalid key in stanza [Security\.(528|529|537|539|540|552)\.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 327: index  (value:  wineventlog).
                Invalid key in stanza [Security\.(528|529|537|539|540|552)\.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 328: source  (value:  WinEventLog:Security).
                Invalid key in stanza [Security\.(528|529|537|539|540|552)\.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 329: sourcetype  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.529.anomaly.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 354: index  (value:  wineventlog).
                Invalid key in stanza [Security.529.anomaly.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 355: source  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.529.anomaly.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 356: sourcetype  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.552.anomaly.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 394: index  (value:  wineventlog).
                Invalid key in stanza [Security.552.anomaly.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 395: source  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.552.anomaly.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 396: sourcetype  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.680.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 436: index  (value:  wineventlog).
                Invalid key in stanza [Security.680.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 437: source  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.680.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 438: sourcetype  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.1102.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 448: index  (value:  wineventlog).
                Invalid key in stanza [Security.1102.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 449: source  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.1102.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 450: sourcetype  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.4726.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 456: index  (value:  wineventlog).
                Invalid key in stanza [Security.4726.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 457: source  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.4726.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 458: sourcetype  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.4743.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 464: index  (value:  wineventlog).
                Invalid key in stanza [Security.4743.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 465: source  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.4743.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 466: sourcetype  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.4672.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 472: index  (value:  wineventlog).
                Invalid key in stanza [Security.4672.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 473: source  (value:  WinEventLog:Security).
                Invalid key in stanza [Security.4672.windows] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 474: sourcetype  (value:  WinEventLog:Security).
                Invalid key in stanza [.*\.winregistry] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 482: index  (value:  windows).
                Invalid key in stanza [.*\.winregistry] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 483: source  (value:  WinRegistry).
                Invalid key in stanza [.*\.winregistry] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 484: sourcetype  (value:  WinRegistry).
                Invalid key in stanza [.*\.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 499: index  (value:  windows).
                Invalid key in stanza [ComputerSystem.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 514: index  (value:  perfmon).
                Invalid key in stanza [ComputerSystem.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 515: source  (value:  Perfmon:Memory).
                Invalid key in stanza [ComputerSystem.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 516: sourcetype  (value:  Perfmon:Memory).
                Invalid key in stanza [CPUTime.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 522: index  (value:  perfmon).
                Invalid key in stanza [CPUTime.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 523: source  (value:  Perfmon:CPUTime).
                Invalid key in stanza [CPUTime.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 524: sourcetype  (value:  Perfmon:CPUTime).
                Invalid key in stanza [FreeDiskSpace.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 535: index  (value:  perfmon).
                Invalid key in stanza [FreeDiskSpace.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 536: source  (value:  Perfmon:FreeDiskSpace).
                Invalid key in stanza [FreeDiskSpace.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 537: sourcetype  (value:  Perfmon:FreeDiskSpace).
                Invalid key in stanza [InstalledUpdates.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 548: index  (value:  windows).
                Invalid key in stanza [InstalledUpdates.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 549: source  (value:  WindowsUpdateLog).
                Invalid key in stanza [InstalledUpdates.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 550: sourcetype  (value:  WindowsUpdateLog).
                Invalid key in stanza [LocalNetwork.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 556: index  (value:  perfmon).
                Invalid key in stanza [LocalNetwork.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 557: source  (value:  Perfmon:LocalNetwork).
                Invalid key in stanza [LocalNetwork.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 558: sourcetype  (value:  Perfmon:LocalNetwork).
                Invalid key in stanza [LocalPhysicalDisk.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 564: index  (value:  perfmon).
                Invalid key in stanza [LocalPhysicalDisk.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 565: source  (value:  Perfmon:LocalPhysicalDisk).
                Invalid key in stanza [LocalPhysicalDisk.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 566: sourcetype  (value:  Perfmon:LocalPhysicalDisk).
                Invalid key in stanza [LocalProcesses.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 572: index  (value:  perfmon).
                Invalid key in stanza [LocalProcesses.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 573: source  (value:  Perfmon:LocalProcesses).
                Invalid key in stanza [LocalProcesses.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 574: sourcetype  (value:  Perfmon:LocalProcesses).
                Invalid key in stanza [Memory.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 580: index  (value:  perfmon).
                Invalid key in stanza [Memory.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 581: source  (value:  Perfmon:Memory).
                Invalid key in stanza [Memory.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 582: sourcetype  (value:  Perfmon:Memory).
                Invalid key in stanza [ScheduledJobs.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 588: index  (value:  windows).
                Invalid key in stanza [ScheduledJobs.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 589: source  (value:  WMI:ScheduledJobs).
                Invalid key in stanza [ScheduledJobs.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 590: sourcetype  (value:  WMI:ScheduledJobs).
                Invalid key in stanza [Service.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 596: index  (value:  windows).
                Invalid key in stanza [Service.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 597: source  (value:  WMI:Service).
                Invalid key in stanza [Service.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 598: sourcetype  (value:  WMI:Service).
                Invalid key in stanza [Uptime.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 604: index  (value:  windows).
                Invalid key in stanza [Uptime.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 605: source  (value:  WMI:Uptime).
                Invalid key in stanza [Uptime.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 606: sourcetype  (value:  WMI:Uptime).
                Invalid key in stanza [UserAccounts.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 612: index  (value:  windows).
                Invalid key in stanza [UserAccounts.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 613: source  (value:  WMI:UserAccounts).
                Invalid key in stanza [UserAccounts.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 614: sourcetype  (value:  WMI:UserAccounts).
                Invalid key in stanza [Version.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 620: index  (value:  windows).
                Invalid key in stanza [Version.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 621: source  (value:  WMI:Version).
                Invalid key in stanza [Version.wmi] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 622: sourcetype  (value:  WMI:Version).
                Invalid key in stanza [WinHostMon-OperatingSystem] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 627: index  (value:  windows).
                Invalid key in stanza [WinHostMon-OperatingSystem] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 628: sourcetype  (value:  WinHostMon).
                Invalid key in stanza [WinHostMon-OperatingSystem] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 629: source  (value:  OperatingSystem).
                Invalid key in stanza [WinHostMon-Processor] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 633: index  (value:  windows).
                Invalid key in stanza [WinHostMon-Processor] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 634: sourcetype  (value:  Processor).
                Invalid key in stanza [WinHostMon-Processor] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 635: source  (value:  Computer).
                Invalid key in stanza [XmlSecurity\.[0-9]*\.windows\.xml] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 639: index  (value:  wineventlog).
                Invalid key in stanza [XmlSecurity\.[0-9]*\.windows\.xml] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 640: source  (value:  WinEventLog:Security).
                Invalid key in stanza [XmlSecurity\.[0-9]*\.windows\.xml] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 641: sourcetype  (value:  XmlWinEventLog:Security).
                Invalid key in stanza [XmlSystem.update_.*\.xml] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 645: index  (value:  wineventlog).
                Invalid key in stanza [XmlSystem.update_.*\.xml] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 646: source  (value:  WinEventLog:System).
                Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
                Invalid key in stanza [XmlSystem.update_.*\.xml] in /opt/splunk_ind/etc/apps/Splunk_TA_windows/default/eventgen.conf, line 647: sourcetype  (value:  XmlWinEventLog:System).
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎07-19-2016 05:53 AM

Hi banderson7, renaming the eventgen.conf file to something like eventgen.conf.bak would clear up most of these messages. Usually eventgen isn't needed, and if you aren't using it then it's just noise.

Please let me know if this answers your question! 😄

View solution in original post

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎07-19-2016 06:08 AM

Why are you installing the Splunk ta for WINDOWS on a linux device? That's why you're getting these errors. It's not meant to be installed on linux Splunk instances. Try the Splunk ta for linux instead.

To "clean it up" remove the Splunk ta for windows from /opt/splunk_ind/etc/apps/ and restart Splunk. rm -Rf /opt/splunk_ind/etc/apps/splunk_ta_windows and then restarting Splunk should do the trick.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎07-19-2016 06:13 AM

Are you doing this for the "props"? The TA only goes on the windows forwarders to my knowledge and isn't required on the indexers.

0 Karma
Reply
Solved! Jump to solution

banderson7
Communicator
‎07-19-2016 06:17 AM

Per: http://docs.splunk.com/Documentation/WindowsAddOn/4.8.3/User/DeploytheSplunkAdd-onforWindowsinadistr...
"
Complete the procedure in "Install the Splunk Add-on for Windows" to place the Splunk Add-on for Windows onto the indexer.
If the indexer is a Windows host and you want to collect Windows data from it, configure the add-on on that host."
It would be helpful to get an idea if the TA was required on the indexers. Do I just need to add the props.conf file?

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎07-19-2016 06:42 AM

I'm going with muebels comment then. Delete eventgen.conf and then edit the props.conf to remove that one regex.

0 Karma
Reply
Solved! Jump to solution
Solution

muebel
SplunkTrust
SplunkTrust
‎07-19-2016 05:53 AM

Hi banderson7, renaming the eventgen.conf file to something like eventgen.conf.bak would clear up most of these messages. Usually eventgen isn't needed, and if you aren't using it then it's just noise.

Please let me know if this answers your question! 😄

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...