All Apps and Add-ons

Why is the upgrade to Splunk Security Essentials 2.0 causing errors?

jon_d_irish_ctr
Path Finder

Recently I upgraded our search heads with Splunk Security Essentials v2.0. Now, when Splunk restarts, I see errors referencing Splunk Security Essentials. The error recommends running btool, and the results are:

Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/app.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/collections.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/commands.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/distsearch.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/macros.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/transforms.conf
Checking: /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 5: otherAuto (value: 1).
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 8: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 17: doneText (value: Start Exploring).
Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 18: doneURL (value: /app/Splunk_Security_Essentials/contents).
Invalid key in stanza [showcase_simple_search-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 45: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
Invalid key in stanza [showcase_first_seen_demo-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 72: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?
Invalid key in stanza [showcase_standard_deviation-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf, line 96: skipText (value: Skip tour).
Did you mean 'stepClickElement'?
Did you mean 'stepClickEvent'?
Did you mean 'stepElement'?
Did you mean 'stepPosition'?
Did you mean 'stepText'?

I talked to a Splunk engineer about this (I thought it was Splunk supported). and he said the following:
This message below indicates that it is malformed. Usually, this means there is some misspelling of the key or that line is deprecated

Invalid key in stanza [contents-tour] in /opt/splunk/etc/apps/Splunk_Security_Essentials/default/ui-tour.conf,

So, if this is indeed from something within the code, and Splunk wrote the code, but Splunk does not support the app, how does it get fixed?

0 Karma

artcarrera
Explorer

I am running Splunk 6.5.3 and getting the same errors. Will this be fixed in a newer release? I'm running Splunk Security Essentials 2.1.1. See errors below.

    Checking conf files for problems...
            Invalid key in stanza [contents-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 7: skipText  (value:  Skip tour).
            Invalid key in stanza [contents-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 16: doneText  (value:  Start Exploring).
            Invalid key in stanza [contents-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 17: doneURL  (value:  /app/Splunk_Security_Essentials/contents).
            Invalid key in stanza [showcase_simple_search-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 44: skipText  (value:  Skip tour).
            Invalid key in stanza [showcase_first_seen_demo-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 71: skipText  (value:  Skip tour).
            Invalid key in stanza [showcase_standard_deviation-tour] in D:\Program Files\Splunk\etc\apps\Splunk_Security_Essentials\default\ui-tour.conf, line 95: skipText  (value:  Skip tour).
0 Karma

David
Splunk Employee
Splunk Employee

The otherAuto warnings I've seen before, and they will be fixed in version 2.1, which should land next week. The skipText, doneText, doneURL warnings I haven't seen before -- what version + platform of Splunk are you using?

Let me also validate that you're not seeing any issues starting Splunk or using the app, correct? (These warnings are just noise, created by the UI tour -- apparently there is some miscommunication between the default Product Tour functionality and the Core support for product tours, but nothing that should cause actual issues.)

0 Karma

jon_d_irish_ctr
Path Finder

Hi David,
We are running Splunk Enterprise v6.4. Yes, we are not seeing any issues (that we are currently aware of).

Thanks,
Jon

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...