Splunk_TA_paloalto causing many Invalid Key errors...

wrangler2x · ‎07-24-2017

Is there something that we are supposed to be doing after installing this or is it just broken?

Here is my output during startup of splunkd

Checking conf files for problems...
        Invalid key in stanza [pan_globalprotect.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 8: outputMode  (value:  splunkstream).
        Invalid key in stanza [pan_globalprotect.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 14: autotimestamp  (value:  1).
        Invalid key in stanza [pan_globalprotect.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 15: randomizeCount  (value:  0.2).
        Invalid key in stanza [pan_globalprotect.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 16: randomizeEvents  (value:  0).
        Invalid key in stanza [pan_globalprotect.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 18: sourcetype  (value:  pan:log).
        Invalid key in stanza [pan_globalprotect.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 19: source  (value:  eventgen:pan_globalprotect.samplelog).
        Invalid key in stanza [pan_incident.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 27: outputMode  (value:  splunkstream).
        Invalid key in stanza [pan_incident.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 33: randomizeCount  (value:  0.2).
        Invalid key in stanza [pan_incident.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 34: randomizeEvents  (value:  true).
        Invalid key in stanza [pan_incident.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 36: sourcetype (value: pan:log).
        Invalid key in stanza [pan_incident.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 37: source  (value:  eventgen:pan_incident.samplelog).
        Invalid key in stanza [pan_endpoint.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 68: outputMode  (value:  splunkstream).
        Invalid key in stanza [pan_endpoint.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 74: randomizeCount  (value:  0.2).
        Invalid key in stanza [pan_endpoint.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 75: randomizeEvents  (value:  true).
        Invalid key in stanza [pan_endpoint.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 77: sourcetype (value: pan:log).
        Invalid key in stanza [pan_endpoint.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 78: source  (value:  eventgen:pan_endpoint.samplelog).
        Invalid key in stanza [pan_endpoint.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 79: autotimestamp  (value:  1).
        Invalid key in stanza [pan_incident_data_config.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 88: outputMode  (value:  splunkstream).
        Invalid key in stanza [pan_incident_data_config.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 94: randomizeCount  (value:  0.2).
        Invalid key in stanza [pan_incident_data_config.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 95: randomizeEvents  (value:  true).
        Invalid key in stanza [pan_incident_data_config.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 97: sourcetype  (value:  pan:log).
        Invalid key in stanza [pan_incident_data_config.samplelog] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 98: source  (value:  eventgen:pan_incident_data_config.samplelog).
        Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 119: mode  (value:  replay).
        Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 120: sampletype  (value:  csv).
        Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 121: timeField  (value:  _time).
        Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 122: index  (value:  main).
        Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 128: timeMultiple  (value:  2).
        Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 129: autotimestamp  (value:  1).
        Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 134: sourcetype  (value:  pan:log).
        Invalid key in stanza [pan_wildfire_reports.csv] in /opt/splunk/etc/apps/Splunk_TA_paloalto/default/eventgen.conf, line 135: source  (value:  eventgen:pan_wildfire_reports.csv).
        Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done

mghocke · ‎07-25-2017

It's safe to delete eventgen.conf and the samples directory one level above. It's actually required when you want to install an app on an indexer cluster.

wrangler2x · ‎07-25-2017

That did the trick. Also, I had someone send me this link: http://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall#Indexer_clusters

Splunk_TA_paloalto causing many Invalid Key errors during restart of Splunk (Palo Alto Networks Add on for Splunk, Version 3.8.0 April 28, 2017)

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms