All Apps and Add-ons

Splunk App for Microsoft SQL Server Configuration: Why am I getting "Invalid key in stanza" errors starting Splunk?

jcrival
New Member

Hi guys,

I installed Splunk App for Microsoft SQL Server, I followed all the steps. When I started splunk service I got the following error:

C:\Program Files\SplunkUniversalForwarder\bin>splunk start

Splunk> Needle. Haystack. Found.

Checking prerequisites...
Checking mgmt port [8089]: open
Checking conf files for problems...
Invalid key in stanza [WinEventLog:Microsoft-Windows-FailoverClu
stering] in c:\Program Files\SplunkUniversalForwarder\etc\apps\TA-SQLServer\defa
ult\inputs.conf, line 9: start_from (value: oldest)
Invalid key in stanza [WinEventLog:Microsoft-Windows-FailoverClu
stering] in c:\Program Files\SplunkUniversalForwarder\etc\apps\TA-SQLServer\defa
ult\inputs.conf, line 10: current_only (value: 0)
Invalid key in stanza [WinEventLog:Microsoft-Windows-FailoverClu
stering] in c:\Program Files\SplunkUniversalForwarder\etc\apps\TA-SQLServer\defa
ult\inputs.conf, line 11: checkpointInterval (value: 5)
Invalid key in stanza [perfmon://MSSQL:Databases] in c:\Program
Files\SplunkUniversalForwarder\etc\apps\TA-SQLServer\default\inputs.conf, line 1
49: counter (value: Active Transactions;Data File(s) Size (KB);Log File(s) Siz
e (KB);Log File(s) Used Size (KB);Transactions/sec)
Invalid key in stanza [perfmon://SQLServer:Databases] in c:\Prog
ram Files\SplunkUniversalForwarder\etc\apps\TA-SQLServer\default\inputs.conf, li
ne 157: counter (value: Active Transactions;Data File(s) Size (KB);Log File(s)
Size (KB);Log File(s) Used Size (KB);Transactions/sec)
Your indexes and inputs configurations are not internally consis
tent. For more information, run 'splunk btool check --debug'
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...

SplunkForwarder: Starting (pid 10968)
Done

Maybe I have not configure powershell correctly, can you please help me?

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Not sure if this will help you...I am not familiar with the app...but, quoting from a customer comment on the troubleshooting topic in the documentation:

Here is some troubleshooting I did to help make the app work:

Windows Server 2008 R2 and Windows 2012 R2 - Open Powershell as Administrator
PS C:>Get-Execution Policy
If it's Restricted, then do the following:
PS C:>Set-Execution Policy Bypass
Say Yes to the Execution Policy Change.
Then run Get-ExecutionPolicy and see that it changed to Bypass:
PS C:> Get-ExecutionPolicy
Bypass
Once you have that done, now you'll need to make one more change.
Open your SQL Server Management Studio and log in as sysadmin (sa). Go to Security ->Logins -> NT AUTHORITYSYSTEM (Properties) and grant the user sysadmin Server Role. Apply the change and restart your Splunk service. (Thanks Adrian: http://answers.splunk.com/answers/108974/problem-with-powershell-and-splunk_for_sqlserver-app)
Once you have all these steps done, then go into the app and run the Lookup Table Rebuilder (Searches & Reports->Lookup Table Rebuilder)

index=mssql | stats count, values(sourcetype) by host

jcrival
New Member

Thanks Chris!

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Sorry, not sure what else to offer. Adrian will probably reply to this posting eventually, if no one else comes through.

0 Karma

jcrival
New Member

Thanks Crhis,

I got this error

At line:1 char:14
+ Get-Execution <<<< Policy
+ CategoryInfo : ObjectNotFound: (Get-Execution:String) [], CommandNotFoundE
xception
+ FullyQualifiedErrorId : CommandNotFoundException

Thanks

Jose Rivera

0 Karma

essklau
Path Finder

Jose, note that the command should be "Get-ExecutionPolicy". All a single, hyphenated word.

0 Karma

amiracle
Splunk Employee
Splunk Employee

You might want to check what version of Powershell you have. Do a Get-Host and see what version you have installed. I believe you want version 3.0+.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...