All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for WebSphere - Splunk Enterprise 6.1.2

millern4
Communicator
‎07-08-2014 12:47 PM

Hello,

We are currently evaluating the Splunk App for WebSphere in our development environment. This environment contains 1 search head and 1 indexer.

Upon unpacking the application into /etc/apps and restarting Splunk I see the following errors on the command line:

Checking conf files for problems...

Invalid key in stanza [WebSphere:ServerExceptionLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 4: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:NativeStdOutErrLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 16: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:NativeStdOutErrLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 17: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:SystemOutErrLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 29: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:SystemOutErrLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 30: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:StartStopServerLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 36: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:StartStopServerLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 37: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:wsadminTraceout] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 46: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:wsadminTraceout] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 47: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [source::...[/\]native*.log] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 60: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:security] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 130: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:security] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 131: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:pmiconfig] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 135: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:pmiconfig] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 136: TRANSFORM-node (value: node-extract)
Invalid key in stanza [WebSphere:pmiconfig] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 137: TRANSFORM-server (value: servers-extract)
Invalid key in stanza [WebSphere:pmiconfig] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 138: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:node-metadata.properties] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 142: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:node-metadata.properties] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 143: TRANSFORM-node (value: node-extract)
Invalid key in stanza [WebSphere:node-metadata.properties] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 144: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:serverindex] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 148: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:serverindex] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 149: TRANSFORM-node (value: node-extract)
Invalid key in stanza [WebSphere:serverindex] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 150: TRANSFORM-server (value: servers-extract)
Invalid key in stanza [WebSphere:serverindex] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 151: TRANSFORM-profile (value: profile-extract)
Invalid key in stanza [WebSphere:cluster] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 156: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:cluster] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 157: TRANSFORM-cluster (value: cluster-extract)
Invalid key in stanza [WebSphere:cluster] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 158: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:deployment] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 162: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:deployment] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 163: TRANSFORM-application (value: application-extract)
Invalid key in stanza [WebSphere:deployment] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 164: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:fileregistry] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 168: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:fileregistry] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 169: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:nodegroup] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 173: TRANSFORM-cell (value: cell-extract)
Invalid key in stanza [WebSphere:nodegroup] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 174: TRANSFORM-nodegroup (value: nodegroup-extract)
Invalid key in stanza [WebSphere:nodegroup] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 175: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:HTTPlog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 185: TRANSFORM-was_server (value: server-extract)
Invalid key in stanza [WebSphere:HTTPlog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 186: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:ActivityLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 194: TRANSFORM-was_host (value: host-extract)
Invalid key in stanza [WebSphere:ActivityLog] in /splunk/etc/apps/splunk_app_was/default/props.conf, line 195: TRANSFORM-profile (value: profile-extract)
Invalid key in stanza [UPMCAD2] in /splunk/etc/system/local/authentication.conf, line 22: pagesize (value: 0)
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Regex: subpattern name is too long (maximum 32 characters). Bad regex: (?i)0SECTION\s*(?P[\w ]*)
Config problem: invalid regex: props.conf / [WebSphere:javacore] / EXTRACT-websphere_DumpRoutineSubComponents
One or more regexes in your configuration are not valid. For details, please see directly above.

I was trying to look through documentation to see if any of these attributes contained in the props.conf or transforms.conf had been deprecated that I may be able to comment out, but for a Splunk Supported app that I just installed, that's just way too many errors to ignore.

Any help / suggestions are appreciated.

Thank you

Reply
1 Solution
Solved! Jump to solution
Solution

ehorjus
Explorer
‎07-15-2014 01:44 PM

You have 3 issues:

1) The TRANSFORM messages are a known issue: http://docs.splunk.com/Documentation/WAS/latest/ReleaseNotes/Knownissues . In short: edit props.conf in the default directory and change all words TRANSFORM to TRANSFORMS. Then restart Splunk.

2) indexes and inputs configurations are not internally consistent: some apps contain indexes.conf, depending if you created an index while you started from some of those apps. If you upgraded to 6.1, move all entries from gettingstarted/local/indexes.conf to another app. Then restart Splunk.

3) Regex issue: also in default/props.conf, change the word websphere_DumpRoutineSubComponents (34 characters) to something smaller. It seems the field is not used in any search of the app and I guess you're not going to index javacore files. The field is probably some preparation for some search/view in the future.

Erwin

View solution in original post

Reply
Solved! Jump to solution
Solution

ehorjus
Explorer
‎07-15-2014 01:44 PM

You have 3 issues:

1) The TRANSFORM messages are a known issue: http://docs.splunk.com/Documentation/WAS/latest/ReleaseNotes/Knownissues . In short: edit props.conf in the default directory and change all words TRANSFORM to TRANSFORMS. Then restart Splunk.

2) indexes and inputs configurations are not internally consistent: some apps contain indexes.conf, depending if you created an index while you started from some of those apps. If you upgraded to 6.1, move all entries from gettingstarted/local/indexes.conf to another app. Then restart Splunk.

3) Regex issue: also in default/props.conf, change the word websphere_DumpRoutineSubComponents (34 characters) to something smaller. It seems the field is not used in any search of the app and I guess you're not going to index javacore files. The field is probably some preparation for some search/view in the future.

Erwin

Reply
Solved! Jump to solution

millern4
Communicator
‎07-16-2014 05:12 AM

Many thanks have made the changes, I like using the /gc just to confirm each change 1 by 1. Thanks!

0 Karma
Reply
Solved! Jump to solution

ehorjus
Explorer
‎07-16-2014 05:10 AM

The dot at the end of the url was the cause. I fixed the link. It brings you to the right location now.

In vi: %s/TRANSFORM/TRANSFORMS/g

0 Karma
Reply
Solved! Jump to solution

millern4
Communicator
‎07-16-2014 04:52 AM

Thank you for the response. I looked for known issues with your link it does not resolve properly.

I also looked through the official app answers page and didn't find any information, so I appreciate your post.

http://answers.splunk.com/apps/188/related_questions/

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...