When I startup Splunk (v6.3.0 for Linux), I've notices warning message when Splunk is Checking conf files for problems.
It finds several issues with the default prefs.conf file, telling me several items have invalid keys.
What's the story with this behavior?
There is still a default prefs.conf file in 6.3. Check the manifest file in your SPLUNK_HOME directory, it has a list of the files from the installer.
Is this a new installation of Splunk or an upgrade? If its an upgrade, check to see if your etc/system/default/prefs.conf file is read-only. It could be that when you upgraded, you were unable to overwrite the file, and now Splunk is complaining. An easy fix would be to adjust the permissions on the existing file, pull a copy of the new file from the tar.gz installer and copy it over the existing one.
The manifest file I have for my 6.3.0 install still lists the default/prefs.conf. The file permissions are 440 instead of 444 listed in the manifest. Though all the files in the default directory have been at least touched by the upgrade. In the past if we've had permission issues, I see the errors immediately with the tarball deployment.
I pulled the file from the tar.gz installation and checked it against the installed file and the diff command reported no differences in the two files.
The warnings are about the following issues:
stanza [default]: line 23: clicksAppendToSearch (value: true)
stanza [default]: line 24: defaultTimeRange (value: startMonthsAgo=3)
stanza [default]: line 33: maxLines (value: 10)
stanza [default]: line 36: reportColumnList (value: )
stanza [default]: line 37: chartLastPlotMode (value: column)
stanza [default]: line 49: dashboardintrogettingstarted (value: /static/html/gettingstarted.html)
stanza [default]: line 59: dashboardcustomListAllindexeddatasearches (value: .....)
stanza [default]: line 60: dashboardcustomListAllindexeddatalabels (value: Sources, Sourcetypes, Hosts)
stanza [default]: line 62: dashboardcustomListSavedsearchessearches (value: .....)
stanza [default]: line 63: dashboardcustomListSavedsearcheslables (value: )
I recall at least one occurrence where the .spec file was not updated with 6.3, leading to startup warnings. Without knowing, which keys your installation complains about, it's hard to say whether you are experiencing the same issue. I would definitely try to upgrade to the latest 6.3.x version available on splunk.com.
And/Or, please update your question with the warnings you see.
I listed the warnings above. It's not so easy for me to just upgrade to the new version. I have to get a bunch of approvals before I can do that. However, it seems I have seem this in the past few upgrades I have done (6.2.2, 6.2.4 at the very least).