All Apps and Add-ons

Invalid key-value parser, ignoring it, transform_name='leef_header'

ChrisBell04
Communicator

FYI

The latest 1.0.14 app has some invalid configs in props/transforms. Splunkd.log complains about the following:

WARN  SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='leef_header'
WARN  SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='leef_body'

Neither leef_header or leef_body stanzas are in transforms.conf, which are being used by:

REPORT-leef_data = leef_header, leef_body

Any plans on separating this out into a dedicated addon and app?

0 Karma

prakash007
Builder

@ChrisBell04 : how's your props and transforms look like..??
run this to check for any invalid configs$SPLUNK_HOME/bin/splunk btool check

0 Karma

ChrisBell04
Communicator

a fresh download of the app from splunkbase, has the invalid entries splunk is complaining about. There are no leef_ stanzas in transforms.conf. yes, its an easy fix... reporting it so the author will eventually correct.

\VormetricDataSecurityLite\default\props.conf
[leef]
TRANSFORMS-syslog = test_for_syslog
TRANSFORMS-unknown = test_for_not_leef
TRANSFORMS-host = leef_host
REPORT-leef_data = leef_header, leef_body
SHOULD_LINEMERGE = false
TIME_PREFIX = devTime=
TIME_FORMAT = %Y-%m-%dT%H.%M.%S.%3N%z
MAX_TIMESTAMP_LOOKAHEAD = 30
TZ = UTC
0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...