Invalid key-value parser, ignoring it, transform_n...

ChrisBell04 · ‎01-18-2019

FYI

The latest 1.0.14 app has some invalid configs in props/transforms. Splunkd.log complains about the following:

WARN  SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='leef_header'
WARN  SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='leef_body'

Neither leef_header or leef_body stanzas are in transforms.conf, which are being used by:

REPORT-leef_data = leef_header, leef_body

Any plans on separating this out into a dedicated addon and app?

prakash007 · ‎01-18-2019

@ChrisBell04 : how's your props and transforms look like..??
run this to check for any invalid configs$SPLUNK_HOME/bin/splunk btool check

ChrisBell04 · ‎01-18-2019

a fresh download of the app from splunkbase, has the invalid entries splunk is complaining about. There are no leef_ stanzas in transforms.conf. yes, its an easy fix... reporting it so the author will eventually correct.

\VormetricDataSecurityLite\default\props.conf
[leef]
TRANSFORMS-syslog = test_for_syslog
TRANSFORMS-unknown = test_for_not_leef
TRANSFORMS-host = leef_host
REPORT-leef_data = leef_header, leef_body
SHOULD_LINEMERGE = false
TIME_PREFIX = devTime=
TIME_FORMAT = %Y-%m-%dT%H.%M.%S.%3N%z
MAX_TIMESTAMP_LOOKAHEAD = 30
TZ = UTC

Invalid key-value parser, ignoring it, transform_name='leef_header'

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023