All Apps and Add-ons

"Invalid key in stanza" when attempting to push Splunk Add-on for Bro IDS in an indexer cluster

adamblock2
Path Finder

I just installed the Splunk Add-on for Bro IDS on my indexer cluster master, and attempted to push the bundle. The attempt is unsuccessful do to the following errors:

No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_bro/default/eventgen.conf; Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 3: recursive  (value:  False);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 5: store_dir   (value:  $SPLUNK_HOME/var/spool/splunk);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 7: bro_bin     (value:  /opt/bro/bin/bro);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 8: bro_opts    (value:  -C);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 9: bro_script  (value:  None);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 10: bro_seeds   (value:  None);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 11: bro_merge   (value:  False);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 14: content_maxsize  (value:  1024);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 17: run_maxtime  (value:  1800)

What would be the best way to rectify these errors?

Thank you.

0 Karma
1 Solution

rpille_splunk
Splunk Employee
Splunk Employee

Try removing eventgen.conf, all files in the Samples folder, and inputs.conf before you deploy to an indexer cluster. Let us know if that solves the problem.

For reference: http://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall#Indexer_clusters

Because this gotcha is easy to run into, I'll update the installation instructions for this add-on to call it out.

[Answer edited to include inputs.conf among items to delete on indexer clusters.]

View solution in original post

rpille_splunk
Splunk Employee
Splunk Employee

Try removing eventgen.conf, all files in the Samples folder, and inputs.conf before you deploy to an indexer cluster. Let us know if that solves the problem.

For reference: http://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall#Indexer_clusters

Because this gotcha is easy to run into, I'll update the installation instructions for this add-on to call it out.

[Answer edited to include inputs.conf among items to delete on indexer clusters.]

View solution in original post

adamblock2
Path Finder

Removing the eventgen.conf and all files in the Samples folder was not sufficient. As soon as I deleted the inputs.conf file, I was able to apply the cluster-bundle.

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Great! The link I posted also says to delete the inputs.conf file there, but I failed to remember to read step 2. Sorry about that, and glad it is working now.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.