All Apps and Add-ons

Why is the upgrade to Splunk Security Essentials 2.0 causing errors?

jon_d_irish_ctr
Path Finder

Recently I upgraded our search heads with Splunk Security Essentials v2.0. Now, when Splunk restarts, I see errors referencing Splunk Security Essentials. The error recommends running btool, and the results are:

Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/app.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/collections.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/commands.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/distsearch.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/macros.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/transforms.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 5: otherAuto (value: 1).
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 8: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 17: doneText (value: Start Exploring).
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 18: doneURL (value: /app/Splunk_Security_Essentials/contents).
Invalid key in stanza [showcase_simple_search-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 45: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
Invalid key in stanza [showcase_first_seen_demo-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 72: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
Invalid key in stanza [showcase_standard_deviation-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 96: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?

I talked to a Splunk engineer about this (I thought it was Splunk supported). and he said the following:
This message below indicates that it is malformed. Usually, this means there is some misspelling of the key or that line is deprecated

Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf,

So, if this is indeed from something within the code, and Splunk wrote the code, but Splunk does not support the app, how does it get fixed?

0 Karma

artcarrera
Explorer

I am running Splunk 6.5.3 and getting the same errors. Will this be fixed in a newer release? I'm running Splunk Security Essentials 2.1.1. See errors below.

    Checking conf files for problems...
            Invalid key in stanza [contents-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 7: skipText  (value:  Skip tour).
            Invalid key in stanza [contents-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 16: doneText  (value:  Start Exploring).
            Invalid key in stanza [contents-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 17: doneURL  (value:  /app/Splunk_Security_Essentials/contents).
            Invalid key in stanza [showcase_simple_search-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 44: skipText  (value:  Skip tour).
            Invalid key in stanza [showcase_first_seen_demo-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 71: skipText  (value:  Skip tour).
            Invalid key in stanza [showcase_standard_deviation-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 95: skipText  (value:  Skip tour).
0 Karma

David
Splunk Employee
Splunk Employee

The otherAuto warnings I've seen before, and they will be fixed in version 2.1, which should land next week. The skipText, doneText, doneURL warnings I haven't seen before -- what version + platform of Splunk are you using?

Let me also validate that you're not seeing any issues starting Splunk or using the app, correct? (These warnings are just noise, created by the UI tour -- apparently there is some miscommunication between the default Product Tour functionality and the Core support for product tours, but nothing that should cause actual issues.)

0 Karma

jon_d_irish_ctr
Path Finder

Hi David,
We are running Splunk Enterprise v6.4. Yes, we are not seeing any issues (that we are currently aware of).

Thanks,
Jon

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...