All Apps and Add-ons

"Invalid key in stanza" when attempting to push Splunk Add-on for Bro IDS in an indexer cluster

adamblock2
Path Finder

I just installed the Splunk Add-on for Bro IDS on my indexer cluster master, and attempted to push the bundle. The attempt is unsuccessful do to the following errors:

No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_bro/default/eventgen.conf; Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 3: recursive  (value:  False);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 5: store_dir   (value:  $SPLUNK_HOME/var/spool/splunk);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 7: bro_bin     (value:  /opt/bro/bin/bro);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 8: bro_opts    (value:  -C);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 9: bro_script  (value:  None);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 10: bro_seeds   (value:  None);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 11: bro_merge   (value:  False);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 14: content_maxsize  (value:  1024);
    Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 17: run_maxtime  (value:  1800)

What would be the best way to rectify these errors?

Thank you.

0 Karma
1 Solution

rpille_splunk
Splunk Employee
Splunk Employee

Try removing eventgen.conf, all files in the Samples folder, and inputs.conf before you deploy to an indexer cluster. Let us know if that solves the problem.

For reference: http://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall#Indexer_clusters

Because this gotcha is easy to run into, I'll update the installation instructions for this add-on to call it out.

[Answer edited to include inputs.conf among items to delete on indexer clusters.]

View solution in original post

rpille_splunk
Splunk Employee
Splunk Employee

Try removing eventgen.conf, all files in the Samples folder, and inputs.conf before you deploy to an indexer cluster. Let us know if that solves the problem.

For reference: http://docs.splunk.com/Documentation/AddOns/released/Overview/Distributedinstall#Indexer_clusters

Because this gotcha is easy to run into, I'll update the installation instructions for this add-on to call it out.

[Answer edited to include inputs.conf among items to delete on indexer clusters.]

adamblock2
Path Finder

Removing the eventgen.conf and all files in the Samples folder was not sufficient. As soon as I deleted the inputs.conf file, I was able to apply the cluster-bundle.

0 Karma

rpille_splunk
Splunk Employee
Splunk Employee

Great! The link I posted also says to delete the inputs.conf file there, but I failed to remember to read step 2. Sorry about that, and glad it is working now.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...