All Apps and Add-ons

"invalid key in stanza" error after restarting the forwarder using Splunk_TA_nix (Splunk Add-on for Unix and Linux) in eventgen.conf on forwarders running on AIX operating system

edoardo_vicendo
Contributor

Hi All,

We have installed the Splunk_TA_nix (Splunk Add-on for Unix and Linux - https://splunkbase.splunk.com/app/833/) in the Search Head (/opt/splunk/etc/deployment-apps folder), added a /local folder with inputs.conf enabling all the scripts supported for AIX (based on what is indicated here https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes) but after have deployed the app in the forwarders that are running on AIX we are getting those errors in eventgen.conf:

    Checking mgmt port [8089]: open
    Checking conf files for problems...
            Invalid key in stanza [sample.dhcpd] in /home/myuser/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/eventgen.conf, line 4: interval  (value:  10).
            Invalid key in stanza [sample.dhcpd] in /home/myuser/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/eventgen.conf, line 5: earliest  (value:  -10m).
            Invalid key in stanza [sample.dhcpd] in /home/myuser/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/eventgen.conf, line 6: latest  (value:  now).
            Invalid key in stanza [sample.dhcpd] in /home/myuser/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/eventgen.conf, line 7: source  (value:  sample.dhcpd).
            Invalid key in stanza [sample.dhcpd] in /home/myuser/opt/splunkforwarder/etc/apps/Splunk_TA_nix/default/eventgen.conf, line 8: sourcetype  (value:  dhcpd).

and lot more with same error.
Do you know how can we solve it?

Thanks a lot,
Edoardo

0 Karma
1 Solution

woodcock
Esteemed Legend

You should always do 2 things for any app that you download from the internet and move to production:
1: remove the samples directory
2: remove eventget.conf
This is unnecessary and sometimes dangerous fluff as far as production goes.

View solution in original post

woodcock
Esteemed Legend

You should always do 2 things for any app that you download from the internet and move to production:
1: remove the samples directory
2: remove eventget.conf
This is unnecessary and sometimes dangerous fluff as far as production goes.

edoardo_vicendo
Contributor

Really thanks for your feedback. Currently I am testing it in our development environment, I will take care to remove them.

0 Karma

woodcock
Esteemed Legend

Be sure to click Accept to close the question on the best answer and UpVote any other helpful comment.

0 Karma

ragedsparrow
SplunkTrust
SplunkTrust

If you aren't going to use it, you can remove eventgen.conf from the app (or rename it to something like eventgen.bak). The TA has no spec file for the eventgen.conf file and that may be what is causing this error. This error will not affect the function of the

edoardo_vicendo
Contributor

Hi ragedsparrow, thanks for your feedback, I will remove eventgen.conf file as well as any sample directory as mentioned by woodcock

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...