All Apps and Add-ons

Splunk for Juniper SA: Why am I getting error "Invalid key in stanza props.conf"?

fairje
Communicator

Just started trying to get this to work in our Splunk instance after extracting the files into the Apps directory and rebooting Splunk this is what the error message popped up:

Checking conf files for problems...
Invalid key in stanza [juniper_sa_log] in /opt/splunk/etc/apps/JuniperSA/default/props.conf, line 4: TRANSFORM  (value:  junipersa-host)
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'

I then ran the command requested and here is the segment of the output in question:

Checking: /opt/splunk/etc/apps/JuniperSA/default/app.conf
Checking: /opt/splunk/etc/apps/JuniperSA/default/eventtypes.conf
Checking: /opt/splunk/etc/apps/JuniperSA/default/fields.conf
Checking: /opt/splunk/etc/apps/JuniperSA/default/props.conf
                Invalid key in stanza [juniper_sa_log] in /opt/splunk/etc/apps/JuniperSA/default/props.conf, line 4: TRANSFORM  (value:  junipersa-host)
        Did you mean 'TIMESTAMP_FIELDS'?
        Did you mean 'TIME_FORMAT'?
        Did you mean 'TIME_PREFIX'?
        Did you mean 'TRANSFORMS-<class>'?
        Did you mean 'TRANSFORMS-colorchange'?
        Did you mean 'TRUNCATE'?
        Did you mean 'TZ'?
        Did you mean 'TZ_ALIAS'?
        Did you mean 'the default event boundary detection (BREAK_ONLY_BEFORE_DATE'?
Checking: /opt/splunk/etc/apps/JuniperSA/default/savedsearches.conf
Checking: /opt/splunk/etc/apps/JuniperSA/default/tags.conf
Checking: /opt/splunk/etc/apps/JuniperSA/default/transforms.conf

I am trying to troubleshoot through this so will likely answer my own question, but in case someone else has seen this before what exactly is wrong with my props.conf?

Edit: Thought I would add in the current look of my props.conf as well:

### Juniper SA PROPS

[juniper_sa_log]
TRANSFORM = junipersa-host
REPORT-clientinfo = junipersa-client-info
REPORT-realminfo= junipersa-realm-info
REPORT-roleinfo= junipersa-role-info
REPORT-sessioninfo= junipersa-session-info
REPORT-securemeetinginfo = junipersa-secure-meeting-info


### Transform Juniper SA Log SourceType

[source::udp:514]
TRANSFORMS-sasourcetype= sa_sourcetyper
0 Karma

Gilberto_Castil
Splunk Employee
Splunk Employee

The current syntax reads.

# props.conf
[juniper_sa_log]
TRANSFORM = junipersa-host

That is incorrect. The keyword is TRANSFORMS (plural) and the syntax requires a mnemonic class label.

Copy this file to the local directory and do the following:

# props.conf
[juniper_sa_log]
TRANSFORMS-junipersa-host = junipersa-host

That will do it.

fairje
Communicator

Ok, thanks for the update on the comment, I have done this and at least the error has gone away. I'll be updating the VPN's later to get this data in and will post back if it seems to be reading things ok at that point. Thanks for the quick response!

0 Karma

fairje
Communicator

I am still trying to get the hang of this part of splunk (haven't really had to dive into props.conf stuff yet), so if I am understanding this correctly, inside the transforms.conf there is a section like this:

[sa_sourcetyper]
DEST_KEY = MetaData:Sourcetype
REGEX = Juniper\:\s[^\s]+\s[^\s]+\s-\sive
FORMAT = sourcetype::juniper_sa_log

and with the above posted change to the transforms line in props.conf under "juniper_sa_log" section you suggested, combined with the line in the props.conf for source::udp:514, as long as my forwarder is set up with the inputs.conf listening on 514 UDP and setting the sourcetype to "juniper_sa_log" everything should be kosher, right?

0 Karma

Gilberto_Castil
Splunk Employee
Splunk Employee

That should work.

The precedence for execution is host --> source --> sourcetype. Which means the source will always enter the pipeline ahead of the sourcetype. In this case, the stanza for UDP 514 is first and the one for juniper_sa_log is second. It is just confusing when reading the file configuration on a reverse precedence.

0 Karma

fairje
Communicator

Ah, makes sense. probably not the right place for this, but this App hasn't been updated by the owner since like, 2011 (doesn't even state that it supports Splunk version 6) is there anyway that if I get this thing working fully to submit updates to the base app?

0 Karma
Get Updates on the Splunk Community!

Can you customize Additional Fields in Notable Events?

Is there a way to customize which additional fields to show for which Notable event /Co-relation search ...

Index with one sourcetype - search performance / best practices

Hello,I have created a few indexes, each containing data only from one source with one sourcetype.<BR />From a ...

Traffic logs from Splunk Add-on for Cisco Meraki

Recently deployed this add-on, but it doesn't seem to bring back Traffic or URL logs like we did when using ...