All Apps and Add-ons

Splunk ES show messages "Invalid key in stanza" when restarted the Splunk service

sean_wong
Explorer

Hi Folks,

I found some messages were show "Invalid key in stanza..." when we restarted the Splunk service (with Splunk Enterprise Essential).
I am appreciate if anyone told me how to fix it? Thanks.

[splunk@splunksh01 bin]$ ./splunk start

Splunk> The Notorious B.I.G. D.A.T.A.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]: open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: _audit _internal _introspection _telemetry _thefishbucket access_center_summary access_summary access_summary2 apache audit_summary audit_summary2 bigip bro cim_modactions cim_summary endpoint_summary endpoint_summary2 firedalerts history ioc ipa main main1 mcafee msad network_summary network_summary2 network_summary3 notable notable_summary oracle os pci pci_posture_summary pci_re q6_summary pci_summary pcios perfmon proxy_center_summary proxy_center_summary2 reportsummary risk session_end session_start snipnet soph os sos sos_summary_daily summary symantec sysmon threat_activity tomcat traffic_center_summary traffic_center_summary2 ubaroute ueba webl ogic websense whois windows wineventlog winevents xtreme_contexts
Done

Bypassing local license checks since this instance is configured with a remote license master.

Checking filesystem compatibility... Done
Checking conf files for problems...
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 17: display.visualizations.custom.sankey_diagram_app.sankey_diagram.showBackwards (value: 0).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 18: display.visualizations.custom.sankey_diagram_app.sankey_diagram.showLabels (value: 1).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 19: display.visualizations.custom.sankey_diagram_app.sankey_diagram.showLegend (value: 1).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 20: display.visualizations.custom.sankey_diagram_app.sankey_diagram.showSelf (value: 0).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 21: display.visualizations.custom.sankey_diagram_app.sankey_diagram.showTooltip (value: 1).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 22: display.visualizations.custom.sankey_diagram_app.sankey_diagram.styleBackwards (value: 0).
Invalid key in stanza [Generate MITRE matrix list] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/savedsearch es.conf, line 23: display.visualizations.custom.sankey_diagram_app.sankey_diagram.useColors (value: 1).
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --deb ug'
Done
Checking default conf files for edits...
Validating installed files against hashes from '/opt/splunk/splunk-7.1.1-8f0ead9ec3db-linux-2.6-x86_64-manifest'
All installed files intact.
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done
[ OK ]

Waiting for web server at https://127.0.0.1:8000 to be available........................... Done

If you get stuck, we're here to help.
Look for answers here: http://docs.splunk.com

The Splunk web interface is at https://splunksh01.splunk.com:8000

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...