Just started trying to get this to work in our Splunk instance after extracting the files into the Apps directory and rebooting Splunk this is what the error message popped up:
Checking conf files for problems... Invalid key in stanza [juniper_sa_log] in /opt/splunk/etc/apps/JuniperSA/default/props.conf, line 4: TRANSFORM (value: junipersa-host) Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
I then ran the command requested and here is the segment of the output in question:
Checking: /opt/splunk/etc/apps/JuniperSA/default/app.conf Checking: /opt/splunk/etc/apps/JuniperSA/default/eventtypes.conf Checking: /opt/splunk/etc/apps/JuniperSA/default/fields.conf Checking: /opt/splunk/etc/apps/JuniperSA/default/props.conf Invalid key in stanza [juniper_sa_log] in /opt/splunk/etc/apps/JuniperSA/default/props.conf, line 4: TRANSFORM (value: junipersa-host) Did you mean 'TIMESTAMP_FIELDS'? Did you mean 'TIME_FORMAT'? Did you mean 'TIME_PREFIX'? Did you mean 'TRANSFORMS-<class>'? Did you mean 'TRANSFORMS-colorchange'? Did you mean 'TRUNCATE'? Did you mean 'TZ'? Did you mean 'TZ_ALIAS'? Did you mean 'the default event boundary detection (BREAK_ONLY_BEFORE_DATE'? Checking: /opt/splunk/etc/apps/JuniperSA/default/savedsearches.conf Checking: /opt/splunk/etc/apps/JuniperSA/default/tags.conf Checking: /opt/splunk/etc/apps/JuniperSA/default/transforms.conf
I am trying to troubleshoot through this so will likely answer my own question, but in case someone else has seen this before what exactly is wrong with my props.conf?
Edit: Thought I would add in the current look of my props.conf as well:
### Juniper SA PROPS [juniper_sa_log] TRANSFORM = junipersa-host REPORT-clientinfo = junipersa-client-info REPORT-realminfo= junipersa-realm-info REPORT-roleinfo= junipersa-role-info REPORT-sessioninfo= junipersa-session-info REPORT-securemeetinginfo = junipersa-secure-meeting-info ### Transform Juniper SA Log SourceType [source::udp:514] TRANSFORMS-sasourcetype= sa_sourcetyper
The current syntax reads.
# props.conf [juniper_sa_log] TRANSFORM = junipersa-host
That is incorrect. The keyword is TRANSFORMS (plural) and the syntax requires a mnemonic class label.
Copy this file to the
local directory and do the following:
# props.conf [juniper_sa_log] TRANSFORMS-junipersa-host = junipersa-host
That will do it.
Ok, thanks for the update on the comment, I have done this and at least the error has gone away. I'll be updating the VPN's later to get this data in and will post back if it seems to be reading things ok at that point. Thanks for the quick response!
I am still trying to get the hang of this part of splunk (haven't really had to dive into props.conf stuff yet), so if I am understanding this correctly, inside the transforms.conf there is a section like this:
[sa_sourcetyper] DEST_KEY = MetaData:Sourcetype REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive FORMAT = sourcetype::juniper_sa_log
and with the above posted change to the transforms line in props.conf under "juniper_sa_log" section you suggested, combined with the line in the props.conf for source::udp:514, as long as my forwarder is set up with the inputs.conf listening on 514 UDP and setting the sourcetype to "juniper_sa_log" everything should be kosher, right?
That should work.
The precedence for execution is host --> source --> sourcetype. Which means the source will always enter the pipeline ahead of the sourcetype. In this case, the stanza for UDP 514 is first and the one for juniper_sa_log is second. It is just confusing when reading the file configuration on a reverse precedence.
Ah, makes sense. probably not the right place for this, but this App hasn't been updated by the owner since like, 2011 (doesn't even state that it supports Splunk version 6) is there anyway that if I get this thing working fully to submit updates to the base app?