Archive

Splunk is unable to start

Communicator

Hi to eveeryone:

I have this problem when i try to start splunk. Here's the error message:

./splunk start

Splunk> Take the sh out of IT.

Checking prerequisites...
Checking http port [8000]: open
Checking mgmt port [8089]:
open
Checking appserver port [127.0.0.1:8065]: open
Checking kvstore port [8191]: open
Checking configuration... Done.
Checking critical directories... Done
Checking indexes...
Validated: audit _blocksignature _internal _introspection _thefishbucket accesssummary accesssummary2 auditsummary auditsummary2 bro cimsummary ciscokcc endpointsummary endpointsummary2 firedalerts history main netflow networksummary networksummary2 networksummary3 notable notablesummary os proxycentersummary proxycentersummary2 risk sessionend sessionstart summary trafficcentersummary trafficcentersummary2 whois
Done
Checking filesystem compatibility... Done
Checking conf files for problems...
Invalid key in stanza [samplelogcss.cisco-wsa-squid] in /opt/splunk/etc/apps/SplunkCiscoSecuritySuite/default/eventgen.conf, line 2: sourcetype (value: cisco:wsa:squid)
Invalid key in stanza [samplelogcss.cisco-wsa-squid] in /opt/splunk/etc/apps/SplunkCiscoSecuritySuite/default/eventgen.conf, line 7: hourOfDayRate (value: { "0":0.1, "1":0.1, "2":0.1, "3":0.1, "4":0.1, "5":0.25, "6":0.35, "7":0.45, "8":0.65, "9":0.8, "10":1.0, "11":1.0, "12":1.0, "13":1.0, "14":1.0, "15":1.0, "16":1.0, "17":0.9, "18":0.8, "19":0.7, "20":0.6, "21":0.4, "22":0.2, "23":0.1 })
Invalid key in stanza [samplelogcss.cisco-wsa-squid] in /opt/splunk/etc/apps/SplunkCiscoSecuritySuite/default/eventgen.conf, line 8: dayOfWeekRate (value: { "0":0.5, "1":1.0, "2":1.0, "3":1.0, "4":1.0, "5":1.0, "6":0.75 })
Invalid key in stanza [samplelogcss.cisco-wsa-squid] in /opt/splunk/etc/apps/SplunkCiscoSecuritySuite/default/eventgen.conf, line 9: randomizeCount (value: 0.2)
Invalid key in stanza [samplelogcss.cisco-wsa-squid] in /opt/splunk/etc/apps/SplunkCiscoSecuritySuite/default/eventgen.conf, line 10: randomizeEvents (value: true)
Invalid key in stanza [samplelogcss.cisco-wsa-squid] in /opt/splunk/etc/apps/SplunkCiscoSecuritySuite/default/eventgen.conf, line 11: sampletype (value: csv)
Invalid key in stanza [samplescss.search] in /opt/splunk/etc/apps/SplunkCiscoSecuritySuite/default/eventgen.conf, line 36: hourOfDayRate (value: { "0":0.1, "1":0.1, "2":0.1, "3":0.1, "4":0.1, "5":0.25, "6":0.35, "7":0.45, "8":0.65, "9":0.8, "10":1.0, "11":1.0, "12":1.0, "13":1.0, "14":1.0, "15":1.0, "16":1.0, "17":0.9, "18":0.8, "19":0.7, "20":0.6, "21":0.4, "22":0.2, "23":0.1 })
Invalid key in stanza [samplescss.search] in /opt/splunk/etc/apps/SplunkCiscoSecuritySuite/default/eventgen.conf, line 37: dayOfWeekRate (value: { "0":0.5, "1":1.0, "2":1.0, "3":1.0, "4":1.0, "5":1.0, "6":0.75 })
Invalid key in stanza [samplescss.search] in /opt/splunk/etc/apps/SplunkCiscoSecuritySuite/default/eventgen.conf, line 38: randomizeCount (value: 0.2)
Invalid key in stanza [samplescss.search] in /opt/splunk/etc/apps/SplunkCiscoSecuritySuite/default/eventgen.conf, line 39: randomizeEvents (value: true)
Invalid key in stanza [samplescss.search] in /opt/splunk/etc/apps/SplunkCiscoSecuritySuite/default/eventgen.conf, line 40: sampletype (value: csv)
Invalid key in stanza [CIM-Alerts] in /opt/splunk/etc/apps/SplunkSACIM/default/eventgen.conf, line 6: outputMode (value: spool)
Invalid key in stanza [CIM-ApplicationState] in /opt/splunk/etc/apps/SplunkSACIM/default/eventgen.conf, line 56: outputMode (value: spool)
Invalid key in stanza [CIM-Authentication] in /opt/splunk/etc/apps/Splunk
SACIM/default/eventgen.conf, line 126: outputMode (value: spool)
Invalid key in stanza [CIM-Authentication] in /opt/splunk/etc/apps/Splunk
SACIM/default/eventgen.conf, line 128: randomizeEvents (value: True)
Invalid key in stanza [CIM-Inventory] in /opt/splunk/etc/apps/Splunk
SACIM/default/eventgen.conf, line 156: outputMode (value: spool)
Invalid key in stanza [CIM-Inventory] in /opt/splunk/etc/apps/Splunk
SACIM/default/eventgen.conf, line 158: randomizeEvents (value: True)
Invalid key in stanza [CIM-Database] in /opt/splunk/etc/apps/Splunk
SACIM/default/eventgen.conf, line 277: outputMode (value: spool)
Invalid key in stanza [CIM-Database] in /opt/splunk/etc/apps/Splunk
SACIM/default/eventgen.conf, line 279: randomizeEvents (value: True)
Invalid key in stanza [pcap
monitor] in /opt/splunk/etc/apps/SplunkTAbro/default/inputs.conf, line 4: recursive (value: False)
Invalid key in stanza [pcapmonitor] in /opt/splunk/etc/apps/SplunkTAbro/default/inputs.conf, line 6: storedir (value: $SPLUNKHOME/var/spool/splunk)
Invalid key in stanza [pcap
monitor] in /opt/splunk/etc/apps/SplunkTAbro/default/inputs.conf, line 8: brobin (value: /opt/bro/bin/bro)
Invalid key in stanza [pcap
monitor] in /opt/splunk/etc/apps/SplunkTAbro/default/inputs.conf, line 9: broopts (value: -C)
Invalid key in stanza [pcap
monitor] in /opt/splunk/etc/apps/SplunkTAbro/default/inputs.conf, line 10: broscript (value: None)
Invalid key in stanza [pcap
monitor] in /opt/splunk/etc/apps/SplunkTAbro/default/inputs.conf, line 11: broseeds (value: None)
Invalid key in stanza [pcap
monitor] in /opt/splunk/etc/apps/SplunkTAbro/default/inputs.conf, line 12: bromerge (value: False)
Invalid key in stanza [pcap
monitor] in /opt/splunk/etc/apps/SplunkTAbro/default/inputs.conf, line 15: contentmaxsize (value: 1024)
Invalid key in stanza [pcap
monitor] in /opt/splunk/etc/apps/SplunkTAbro/default/inputs.conf, line 18: runmaxtime (value: 1800)
Invalid key in stanza [samplelog.cisco.asa] in /opt/splunk/etc/apps/Splunk
TAcisco-asa/default/eventgen.conf, line 6: sourcetype (value: cisco:asa)
Invalid key in stanza [samplelog.cisco.fwsm] in /opt/splunk/etc/apps/Splunk
TAcisco-asa/default/eventgen.conf, line 76: sourcetype (value: cisco:fwsm)
Invalid key in stanza [samplelog.cisco.pix] in /opt/splunk/etc/apps/Splunk
TAcisco-asa/default/eventgen.conf, line 131: sourcetype (value: cisco:pix)
Invalid key in stanza [syslog.ciscowsa.access] in /opt/splunk/etc/apps/Splunk
TAcisco-wsa/default/eventgen.conf, line 2: sourcetype (value: cisco:wsa:squid)
Invalid key in stanza [syslog.ciscowsa.access] in /opt/splunk/etc/apps/Splunk
TAcisco-wsa/default/eventgen.conf, line 7: maxIntervalsBeforeFlush (value: 1)
Invalid key in stanza [samplelog.ciscowsa.access] in /opt/splunk/etc/apps/Splunk
TAcisco-wsa/default/eventgen.conf, line 42: sourcetype (value: cisco:wsa:squid)
Invalid key in stanza [samplelog.ciscowsa.l4tm] in /opt/splunk/etc/apps/Splunk
TAcisco-wsa/default/eventgen.conf, line 79: sourcetype (value: cisco:wsa:l4tm)
Invalid key in stanza [sample.v4.mcafee
epo] in /opt/splunk/etc/apps/SplunkTAmcafee/default/eventgen.conf, line 9: source (value: mcafeev4.sample)
Invalid key in stanza [sample.v4.mcafee
epo] in /opt/splunk/etc/apps/SplunkTAmcafee/default/eventgen.conf, line 10: sourcetype (value: mcafee:epo)
Invalid key in stanza [sample.v5.mcafeeepo] in /opt/splunk/etc/apps/SplunkTAmcafee/default/eventgen.conf, line 40: source (value: mcafeev5.sample)
Invalid key in stanza [sample.v5.mcafeeepo] in /opt/splunk/etc/apps/SplunkTAmcafee/default/eventgen.conf, line 41: sourcetype (value: mcafee:epo)
Invalid key in stanza [sample.mcafee
ids] in /opt/splunk/etc/apps/SplunkTAmcafee/default/eventgen.conf, line 80: source (value: mcafeeids.sample)
Invalid key in stanza [sample.mcafee
ids] in /opt/splunk/etc/apps/SplunkTAmcafee/default/eventgen.conf, line 81: sourcetype (value: mcafee:ids)
Value in stanza [app=/network/ntp:default] in /opt/splunk/etc/apps/SplunkTAnix/default/tags.conf, line 783 not URI encoded: app = /network/ntp:default
Value in stanza [shell=/bin/bash] in /opt/splunk/etc/apps/SplunkTAnix/default/tags.conf, line 835 not URI encoded: shell = /bin/bash
Value in stanza [shell=/bin/sh] in /opt/splunk/etc/apps/SplunkTAnix/default/tags.conf, line 838 not URI encoded: shell = /bin/sh
Value in stanza [shell=/usr/bin/bash] in /opt/splunk/etc/apps/SplunkTAnix/default/tags.conf, line 841 not URI encoded: shell = /usr/bin/bash
Value in stanza [shell=/usr/bin/pfksh] in /opt/splunk/etc/apps/SplunkTAnix/default/tags.conf, line 844 not URI encoded: shell = /usr/bin/pfksh
Value in stanza [shell=/usr/bin/pfsh] in /opt/splunk/etc/apps/SplunkTAnix/default/tags.conf, line 847 not URI encoded: shell = /usr/bin/pfsh
Value in stanza [ServiceName=kadmin/changepw] in /opt/splunk/etc/apps/SplunkTAwindows/default/tags.conf, line 121 not URI encoded: ServiceName = kadmin/changepw
Value in stanza [app=win:local] in /opt/splunk/etc/apps/SplunkTAwindows/default/tags.conf, line 184 not URI encoded: app = win:local
Value in stanza [app=win:remote] in /opt/splunk/etc/apps/SplunkTAwindows/default/tags.conf, line 187 not URI encoded: app = win:remote
Value in stanza [signature=Credit Card Number detected in Clear Text] in /opt/splunk/etc/apps/TA-snort/default/tags.conf, line 8 not URI encoded: signature = Credit Card Number detected in Clear Text
Value in stanza [signature=SENSITIVE-DATA Credit Card Numbers] in /opt/splunk/etc/apps/TA-snort/default/tags.conf, line 13 not URI encoded: signature = SENSITIVE-DATA Credit Card Numbers
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)...
Done

Waiting for web server at https://127.0.0.1:8000 to be available..

WARNING: web interface does not seem to be available!

Please help me with this error. Any help will be very appreciated.

Regards

Tags (3)
0 Karma
1 Solution

Communicator

I solved it. I deleted the /opt/splunk/var/lib/splunk/defaultdb/thaweddb directory, and then splunk started without problem. Thanks to stepahnefotso anyways.

View solution in original post

0 Karma

Communicator

I solved it. I deleted the /opt/splunk/var/lib/splunk/defaultdb/thaweddb directory, and then splunk started without problem. Thanks to stepahnefotso anyways.

View solution in original post

0 Karma

Motivator

Are you the only user on your machine? If not, check if another user did not use the 8000 port on your machine.
You can also think on changing your splunk-web port default value by reading here:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Changedefaultvalues#Change_network_ports

0 Karma

Communicator

I'm the only user on my machine. I have changed the port to 9000 how you suggested, but i have the same error messages

0 Karma

Motivator

Did you change splunkd default port also?

0 Karma

Communicator

Yes, i changed splunkd default por also

0 Karma