Hi Folks,
I found some messages were show "Invalid key in stanza..." when we restarted the Splunk service (with Splunk Enterprise Essential).
I am appreciate if anyone told me how to fix it? Thanks.
[splunk@splunksh01 bin]$ ./splunk start
Splunk> The Notorious B.I.G. D.A.T.A.
Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _internal _introspection _telemetry _thefishbucket access_center_summary access_summary access_summary2 apache audit_summary audit_summary2 bigip bro cim_modactions cim_summary endpoint_summary endpoint_summary2 firedalerts history ioc ipa main main1 mcafee msad network_summary network_summary2 network_summary3 notable notable_summary oracle os pci pci_posture_summary pci_re q6_summary pci_summary pcios perfmon proxy_center_summary proxy_center_summary2 reportsummary risk session_end session_start snipnet soph os sos sos_summary_daily summary symantec sysmon threat_activity tomcat traffic_center_summary traffic_center_summary2 ubaroute ueba webl ogic websense whois windows wineventlog winevents xtreme_contexts
Done
Bypassing local license checks since this instance is configured with a remote license master.
Checking filesystem compatibility... Done
Checking conf files for problems...
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 17: display.visualizations.custom.sankey_diagram_app.sankey_diagram.showBackwards (value: 0).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 18: display.visualizations.custom.sankey_diagram_app.sankey_diagram.showLabels (value: 1).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 19: display.visualizations.custom.sankey_diagram_app.sankey_diagram.showLegend (value: 1).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 20: display.visualizations.custom.sankey_diagram_app.sankey_diagram.showSelf (value: 0).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 21: display.visualizations.custom.sankey_diagram_app.sankey_diagram.showTooltip (value: 1).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 22: display.visualizations.custom.sankey_diagram_app.sankey_diagram.styleBackwards (value: 0).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 23: display.visualizations.custom.sankey_diagram_app.sankey_diagram.useColors (value: 1).
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --deb ug'
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-7.1.1-8f0ead9ec3db-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.
Starting splunk server daemon (splunkd)...
Done
[ OK ]
Waiting for web server at https://127.0.0.1:8000 to be available........................... Done
If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com
The Splunk web interface is at https://splunksh01.splunk.com:8000