All Apps and Add-ons

Splunk App for WebSphere - Splunk Enterprise 6.1.2

millern4
Communicator

Hello,

We are currently evaluating the Splunk App for WebSphere in our development environment. This environment contains 1 search head and 1 indexer.

Upon unpacking the application into /etc/apps and restarting Splunk I see the following errors on the command line:

Checking conf files for problems...

Invalid key in stanza [WebSphere:ServerExceptionLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 4: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:NativeStdOutErrLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 16: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:NativeStdOutErrLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 17: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:SystemOutErrLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 29: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:SystemOutErrLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 30: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:StartStopServerLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 36: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:StartStopServerLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 37: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:wsadminTraceout] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 46: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:wsadminTraceout] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 47: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [source::...[/\]native*.log] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 60: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:security] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 130: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:security] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 131: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:pmiconfig] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 135: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:pmiconfig] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 136: TRANSFORM-node (value: node-extract)
Invalid key in stanza [WebSphere:pmiconfig] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 137: TRANSFORM-server (value: servers-extract)
Invalid key in stanza [WebSphere:pmiconfig] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 138: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:node-metadata.properties] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 142: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:node-metadata.properties] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 143: TRANSFORM-node (value: node-extract)
Invalid key in stanza [WebSphere:node-metadata.properties] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 144: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:serverindex] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 148: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:serverindex] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 149: TRANSFORM-node (value: node-extract)
Invalid key in stanza [WebSphere:serverindex] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 150: TRANSFORM-server (value: servers-extract)
Invalid key in stanza [WebSphere:serverindex] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 151: TRANSFORM-profile (value: profile-extract)
Invalid key in stanza [WebSphere:cluster] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 156: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:cluster] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 157: TRANSFORM-cluster (value: cluster-extract)
Invalid key in stanza [WebSphere:cluster] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 158: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:deployment] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 162: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:deployment] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 163: TRANSFORM-application (value: application-extract)
Invalid key in stanza [WebSphere:deployment] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 164: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:fileregistry] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 168: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:fileregistry] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 169: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:nodegroup] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 173: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:nodegroup] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 174: TRANSFORM-nodegroup (value: nodegroup-extract)
Invalid key in stanza [WebSphere:nodegroup] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 175: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:HTTPlog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 185: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:HTTPlog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 186: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:ActivityLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 194: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:ActivityLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 195: TRANSFORM-profile (value: profile-extract)
Invalid key in stanza [UPMCAD2] in /splunk/etc/system/local/authentication.conf, line 22: pagesize (value: 0)
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Regex: subpattern name is too long (maximum 32 characters). Bad regex: (?i)0SECTION\s*(?P[\w ]*)
Config problem: invalid regex: props.conf / [WebSphere:javacore] / EXTRACT-websphere_DumpRoutineSubComponents
One or more regexes in your configuration are not valid. For details, please see directly above.

I was trying to look through documentation to see if any of these attributes contained in the props.conf or transforms.conf had been deprecated that I may be able to comment out, but for a Splunk Supported app that I just installed, that's just way too many errors to ignore.

Any help / suggestions are appreciated.

Thank you

1 Solution

ehorjus
Explorer

You have 3 issues:

1) The TRANSFORM messages are a known issue: http://docs.splunk.com/Documentation/WAS/latest/ReleaseNotes/Knownissues . In short: edit props.conf in the default directory and change all words TRANSFORM to TRANSFORMS. Then restart Splunk.

2) indexes and inputs configurations are not internally consistent: some apps contain indexes.conf, depending if you created an index while you started from some of those apps. If you upgraded to 6.1, move all entries from gettingstarted/local/indexes.conf to another app. Then restart Splunk.

3) Regex issue: also in default/props.conf, change the word websphere_DumpRoutineSubComponents (34 characters) to something smaller. It seems the field is not used in any search of the app and I guess you're not going to index javacore files. The field is probably some preparation for some search/view in the future.

Erwin

View solution in original post

ehorjus
Explorer

You have 3 issues:

1) The TRANSFORM messages are a known issue: http://docs.splunk.com/Documentation/WAS/latest/ReleaseNotes/Knownissues . In short: edit props.conf in the default directory and change all words TRANSFORM to TRANSFORMS. Then restart Splunk.

2) indexes and inputs configurations are not internally consistent: some apps contain indexes.conf, depending if you created an index while you started from some of those apps. If you upgraded to 6.1, move all entries from gettingstarted/local/indexes.conf to another app. Then restart Splunk.

3) Regex issue: also in default/props.conf, change the word websphere_DumpRoutineSubComponents (34 characters) to something smaller. It seems the field is not used in any search of the app and I guess you're not going to index javacore files. The field is probably some preparation for some search/view in the future.

Erwin

View solution in original post

millern4
Communicator

Many thanks have made the changes, I like using the /gc just to confirm each change 1 by 1. Thanks!

0 Karma

ehorjus
Explorer

The dot at the end of the url was the cause. I fixed the link. It brings you to the right location now.

In vi: %s/TRANSFORM/TRANSFORMS/g

0 Karma

millern4
Communicator

Thank you for the response. I looked for known issues with your link it does not resolve properly.

I also looked through the official app answers page and didn't find any information, so I appreciate your post.

http://answers.splunk.com/apps/188/related_questions/

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!