All Apps and Add-ons

Why is the upgrade to Splunk Security Essentials 2.0 causing errors?

jon_d_irish_ctr
Path Finder

Recently I upgraded our search heads with Splunk Security Essentials v2.0. Now, when Splunk restarts, I see errors referencing Splunk Security Essentials. The error recommends running btool, and the results are:

Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/app.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/collections.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/commands.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/distsearch.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/macros.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/transforms.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 5: otherAuto (value: 1).
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 8: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 17: doneText (value: Start Exploring).
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 18: doneURL (value: /app/Splunk_Security_Essentials/contents).
Invalid key in stanza [showcase_simple_search-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 45: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
Invalid key in stanza [showcase_first_seen_demo-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 72: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
Invalid key in stanza [showcase_standard_deviation-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 96: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?

I talked to a Splunk engineer about this (I thought it was Splunk supported). and he said the following:
This message below indicates that it is malformed. Usually, this means there is some misspelling of the key or that line is deprecated

Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf,

So, if this is indeed from something within the code, and Splunk wrote the code, but Splunk does not support the app, how does it get fixed?

0 Karma

artcarrera
Explorer

I am running Splunk 6.5.3 and getting the same errors. Will this be fixed in a newer release? I'm running Splunk Security Essentials 2.1.1. See errors below.

    Checking conf files for problems...
            Invalid key in stanza [contents-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 7: skipText  (value:  Skip tour).
            Invalid key in stanza [contents-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 16: doneText  (value:  Start Exploring).
            Invalid key in stanza [contents-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 17: doneURL  (value:  /app/Splunk_Security_Essentials/contents).
            Invalid key in stanza [showcase_simple_search-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 44: skipText  (value:  Skip tour).
            Invalid key in stanza [showcase_first_seen_demo-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 71: skipText  (value:  Skip tour).
            Invalid key in stanza [showcase_standard_deviation-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 95: skipText  (value:  Skip tour).
0 Karma

David
Splunk Employee
Splunk Employee

The otherAuto warnings I've seen before, and they will be fixed in version 2.1, which should land next week. The skipText, doneText, doneURL warnings I haven't seen before -- what version + platform of Splunk are you using?

Let me also validate that you're not seeing any issues starting Splunk or using the app, correct? (These warnings are just noise, created by the UI tour -- apparently there is some miscommunication between the default Product Tour functionality and the Core support for product tours, but nothing that should cause actual issues.)

0 Karma

jon_d_irish_ctr
Path Finder

Hi David,
We are running Splunk Enterprise v6.4. Yes, we are not seeing any issues (that we are currently aware of).

Thanks,
Jon

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...