All Apps and Add-ons

Why am I getting "Invalid key in stanza [lookup:cam_category_lookup] in E:\Splunk\etc\apps\Splunk_SA_CIM\default\managed_configurations.conf, line 34: expose (value: 1)"

scottrunyon
Contributor

During startup, I get the following message - "Invalid key in stanza [lookup:cam_category_lookup] in E:\Splunk\etc\apps\Splunk_SA_CIM\default\managed_configurations.conf, line 34: expose (value: 1)"

Splunk was just upgraded to 6.5 and CIM is at 4.6.0.

Looking at props.conf, there is no lookup called cam_category_lookup being created but there is a transforms.conf entry for it.

Is there a lookup that is missing?

1 Solution

rpille_splunk
Splunk Employee
Splunk Employee

This is happening because the version of SA-Utils (a supporting add-on containing common logic used for many apps) that you have installed is an older version than the one that is expected by the CIM add-on, and is missing an entry in the spec file for the "expose" setting. This can happen because apps that include SA-Utils release at different times, so it is possible that some other app you have installed includes an older version of SA-Utils before this setting's spec was added.

The error should not impact you, but you can eliminate it by going to SA-Utils/README/managed_configurations.conf.spec and including this at the very end (under the lookup stanza):

expose = [0|1]
   * Whether to expose the contents of file backed lookups
   * Exposes contents via eai:data
   * Optional.

View solution in original post

rpille_splunk
Splunk Employee
Splunk Employee

This is happening because the version of SA-Utils (a supporting add-on containing common logic used for many apps) that you have installed is an older version than the one that is expected by the CIM add-on, and is missing an entry in the spec file for the "expose" setting. This can happen because apps that include SA-Utils release at different times, so it is possible that some other app you have installed includes an older version of SA-Utils before this setting's spec was added.

The error should not impact you, but you can eliminate it by going to SA-Utils/README/managed_configurations.conf.spec and including this at the very end (under the lookup stanza):

expose = [0|1]
   * Whether to expose the contents of file backed lookups
   * Exposes contents via eai:data
   * Optional.

scottrunyon
Contributor

This resolved the issue.

Thanks!!!

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...