All Apps and Add-ons

Splunk ES show messages "Invalid key in stanza" when restarted the Splunk service

Engager

Hi Folks,

I found some messages were show "Invalid key in stanza..." when we restarted the Splunk service (with Splunk Enterprise Essential).
I am appreciate if anyone told me how to fix it? Thanks.

[splunk@splunksh01 bin]$ ./splunk start

Splunk> The Notorious B.I.G. D.A.T.A.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: audit _internal _introspection _telemetry _thefishbucket accesscentersummary accesssummary accesssummary2 apache auditsummary auditsummary2 bigip bro cimmodactions cimsummary endpointsummary endpointsummary2 firedalerts history ioc ipa main main1 mcafee msad networksummary networksummary2 networksummary3 notable notablesummary oracle os pci pciposturesummary pcire q6summary pcisummary pcios perfmon proxycentersummary proxycentersummary2 reportsummary risk sessionend sessionstart snipnet soph os sos sossummarydaily summary symantec sysmon threatactivity tomcat trafficcentersummary trafficcentersummary2 ubaroute ueba webl ogic websense whois windows wineventlog winevents xtremecontexts
Done

Bypassing local license checks since this instance is configured with a remote license master.

Checking filesystem compatibility... Done
Checking conf files for problems...
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/SplunkSecurityEssentials/default/savedsearch es.conf, line 17: display.visualizations.custom.sankeydiagramapp.sankeydiagram.showBackwards (value: 0).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk
SecurityEssentials/default/savedsearch es.conf, line 18: display.visualizations.custom.sankeydiagramapp.sankeydiagram.showLabels (value: 1).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/SplunkSecurityEssentials/default/savedsearch es.conf, line 19: display.visualizations.custom.sankeydiagramapp.sankeydiagram.showLegend (value: 1).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk
SecurityEssentials/default/savedsearch es.conf, line 20: display.visualizations.custom.sankeydiagramapp.sankeydiagram.showSelf (value: 0).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/SplunkSecurityEssentials/default/savedsearch es.conf, line 21: display.visualizations.custom.sankeydiagramapp.sankeydiagram.showTooltip (value: 1).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk
SecurityEssentials/default/savedsearch es.conf, line 22: display.visualizations.custom.sankeydiagramapp.sankeydiagram.styleBackwards (value: 0).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/SplunkSecurityEssentials/default/savedsearch es.conf, line 23: display.visualizations.custom.sankeydiagramapp.sankeydiagram.useColors (value: 1).
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --deb ug'
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-7.1.1-8f0ead9ec3db-linux-2.6-x86
64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
[ OK ]

Waiting for web server at https://127.0.0.1:8000 to be available........................... Done

If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at https://splunksh01.splunk.com:8000

0 Karma