Archive2
Highlighted

Configure 10Gbps network capture - Invalid key in stanza [streamfwd] in /opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.conf,

New Member

Hey Splunkers,

Why am I getting the following error message when running dedicated capture mode for Splunk stream? Followed the instructions outlined here.

I'm currently testing dedicated capture mode on Ubuntu instead of RHEL/CentOS. I don't think thats the problem though.

Invalid key in stanza [streamfwd] in /opt/splunk/etc/apps/SplunkTAstream/local/streamfwd.conf, line 4: dedicatedCaptureMode (value: 1).
Did you mean 'duplicatePacketWindow'?

Here are my current config files for directory /opt/splunk/etc/apps/SplunkTAstream/local#

inputs.conf
[streamfwd://streamfwd]
splunkstreamapplocation = http://localhost:8000/en-us/custom/splunkappstream/
stream
forwarder_id =
disabled = 0

streamfwd.conf
[streamfwd]
dedicatedCaptureMode = 1
streamfwdcapture.0.interface = 0000:86:00.1

streamfwd.xml.bak

<InterfaceRegex>enp134s0f1</InterfaceRegex>
<Offline>false</Offline>

Here is the output from the debug using btool:
sudo ./splunk btool check --debug
Checking: /opt/splunk/etc/users/admin/search/local/ui-prefs.conf
Checking: /opt/splunk/etc/users/admin/search/local/ui-tour.conf
Checking: /opt/splunk/etc/users/admin/splunkappstream/local/ui-prefs.conf
Checking: /opt/splunk/etc/users/admin/user-prefs/local/user-prefs.conf
Checking: /opt/splunk/etc/apps/SplunkTAbro/local/inputs.conf
Checking: /opt/splunk/etc/apps/SplunkTAstream/local/inputs.conf
Checking: /opt/splunk/etc/apps/SplunkTAstream/local/streamfwd.conf
Invalid key in stanza [streamfwd] in /opt/splunk/etc/apps/SplunkTAstream/local/streamfwd.conf, line 2: dedicatedCaptureMode (value: 1).
Did you mean 'duplicatePacketWindow'?
Checking: /opt/splunk/etc/apps/learned/local/props.conf
Checking: /opt/splunk/etc/apps/splunkhttpinput/local/inputs.conf
Checking: /opt/splunk/etc/apps/splunk
instrumentation/local/telemetry.conf
Checking: /opt/splunk/etc/apps/SplunkForwarder/default/app.conf
Checking: /opt/splunk/etc/apps/SplunkForwarder/default/default-mode.conf
Checking: /opt/splunk/etc/apps/SplunkForwarder/default/outputs.conf
Checking: /opt/splunk/etc/apps/SplunkForwarder/default/server.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/app.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/default-mode.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/indexes.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/inputs.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/limits.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/outputs.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/props.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/server.conf
Checking: /opt/splunk/etc/apps/SplunkLightForwarder/default/web.conf
Checking: /opt/splunk/etc/apps/SplunkTAbro/default/app.conf
Checking: /opt/splunk/etc/apps/SplunkTAbro/default/commands.conf
No spec file for: /opt/splunk/etc/apps/SplunkTAbro/default/eventgen.conf
Checking: /opt/splunk/etc/apps/SplunkTAbro/default/eventtypes.conf
Checking: /opt/splunk/etc/apps/SplunkTAbro/default/indexes.conf
Checking: /opt/splunk/etc/apps/SplunkTAbro/default/inputs.conf
Checking: /opt/splunk/etc/apps/SplunkTAbro/default/props.conf
Checking: /opt/splunk/etc/apps/SplunkTAbro/default/tags.conf
Checking: /opt/splunk/etc/apps/SplunkTAbro/default/transforms.conf
Checking: /opt/splunk/etc/apps/SplunkTAstream/default/app.conf
Checking: /opt/splunk/etc/apps/SplunkTAstream/default/distsearch.conf
No spec file for: /opt/splunk/etc/apps/SplunkTAstream/default/eventgen.conf
Checking: /opt/splunk/etc/apps/SplunkTAstream/default/eventtypes.conf
Checking: /opt/splunk/etc/apps/SplunkTAstream/default/inputs.conf
Checking: /opt/splunk/etc/apps/SplunkTAstream/default/outputs.conf
Checking: /opt/splunk/etc/apps/SplunkTAstream/default/props.conf
Checking: /opt/splunk/etc/apps/SplunkTAstream/default/server.conf
Checking: /opt/splunk/etc/apps/SplunkTAstream/default/streamfwd.conf
No spec file for: /opt/splunk/etc/apps/SplunkTAstream/default/streamfwdlog.conf
Checking: /opt/splunk/etc/apps/SplunkTAstream/default/tags.conf
Checking: /opt/splunk/etc/apps/SplunkTAstream/default/transforms.conf
Checking: /opt/splunk/etc/apps/alertlogevent/default/alertactions.conf
Checking: /opt/splunk/etc/apps/alertlogevent/default/app.conf
Checking: /opt/splunk/etc/apps/alert
logevent/default/restmap.conf
Checking: /opt/splunk/etc/apps/alertwebhook/default/alertactions.conf
Checking: /opt/splunk/etc/apps/alertwebhook/default/app.conf
Checking: /opt/splunk/etc/apps/alert
webhook/default/restmap.conf
Checking: /opt/splunk/etc/apps/appsbrowser/default/app.conf
Checking: /opt/splunk/etc/apps/gettingstarted/default/app.conf
Checking: /opt/splunk/etc/apps/introspectiongeneratoraddon/default/app.conf
Checking: /opt/splunk/etc/apps/introspectiongeneratoraddon/default/inputs.conf
Checking: /opt/splunk/etc/apps/introspectiongeneratoraddon/default/server.conf
Checking: /opt/splunk/etc/apps/launcher/default/app.conf
Checking: /opt/splunk/etc/apps/launcher/default/launcher.conf
Checking: /opt/splunk/etc/apps/legacy/default/app.conf
Checking: /opt/splunk/etc/apps/legacy/default/props.conf
Checking: /opt/splunk/etc/apps/sampleapp/default/app.conf
Checking: /opt/splunk/etc/apps/sample
app/default/indexes.conf
Checking: /opt/splunk/etc/apps/sampleapp/default/inputs.conf
Checking: /opt/splunk/etc/apps/sample
app/default/props.conf
Checking: /opt/splunk/etc/apps/search/default/app.conf
Checking: /opt/splunk/etc/apps/search/default/commands.conf
Checking: /opt/splunk/etc/apps/search/default/eventrenderers.conf
Checking: /opt/splunk/etc/apps/search/default/macros.conf
Checking: /opt/splunk/etc/apps/search/default/props.conf
Checking: /opt/splunk/etc/apps/search/default/restmap.conf
Checking: /opt/splunk/etc/apps/search/default/savedsearches.conf
Checking: /opt/splunk/etc/apps/search/default/transforms.conf
Checking: /opt/splunk/etc/apps/splunk
appstream/default/app.conf
No spec file for: /opt/splunk/etc/apps/splunk
appstream/default/cloud.conf
Checking: /opt/splunk/etc/apps/splunk
appstream/default/collections.conf
Checking: /opt/splunk/etc/apps/splunk
appstream/default/distsearch.conf
Checking: /opt/splunk/etc/apps/splunk
appstream/default/eventtypes.conf
Checking: /opt/splunk/etc/apps/splunk
appstream/default/inputs.conf
Checking: /opt/splunk/etc/apps/splunk
appstream/default/macros.conf
Checking: /opt/splunk/etc/apps/splunk
appstream/default/restmap.conf
Checking: /opt/splunk/etc/apps/splunk
appstream/default/savedsearches.conf
Checking: /opt/splunk/etc/apps/splunk
appstream/default/times.conf
Checking: /opt/splunk/etc/apps/splunk
appstream/default/ui-tour.conf
Checking: /opt/splunk/etc/apps/splunk
appstream/default/web.conf
Checking: /opt/splunk/etc/apps/splunk
appstream/default/workflowactions.conf
Checking: /opt/splunk/etc/apps/splunkarchiver/default/app.conf
Checking: /opt/splunk/etc/apps/splunk
archiver/default/commands.conf
Checking: /opt/splunk/etc/apps/splunkarchiver/default/distsearch.conf
Checking: /opt/splunk/etc/apps/splunk
archiver/default/props.conf
Checking: /opt/splunk/etc/apps/splunkarchiver/default/savedsearches.conf
Checking: /opt/splunk/etc/apps/splunk
httpinput/default/inputs.conf
Checking: /opt/splunk/etc/apps/splunkinstrumentation/default/alertactions.conf
Checking: /opt/splunk/etc/apps/splunkinstrumentation/default/app.conf
Checking: /opt/splunk/etc/apps/splunk
instrumentation/default/collections.conf
Checking: /opt/splunk/etc/apps/splunkinstrumentation/default/commands.conf
Checking: /opt/splunk/etc/apps/splunk
instrumentation/default/inputs.conf
Checking: /opt/splunk/etc/apps/splunkinstrumentation/default/macros.conf
Checking: /opt/splunk/etc/apps/splunk
instrumentation/default/props.conf
Checking: /opt/splunk/etc/apps/splunkinstrumentation/default/restmap.conf
Checking: /opt/splunk/etc/apps/splunk
instrumentation/default/savedsearches.conf
Checking: /opt/splunk/etc/apps/splunkinstrumentation/default/telemetry.conf
Checking: /opt/splunk/etc/apps/splunk
instrumentation/default/web.conf
Checking: /opt/splunk/etc/apps/splunkmonitoringconsole/default/app.conf
Checking: /opt/splunk/etc/apps/splunkmonitoringconsole/default/checklist.conf
Checking: /opt/splunk/etc/apps/splunkmonitoringconsole/default/distsearch.conf
Checking: /opt/splunk/etc/apps/splunkmonitoringconsole/default/dmcalerts.conf
Checking: /opt/splunk/etc/apps/splunk
monitoringconsole/default/inputs.conf
Checking: /opt/splunk/etc/apps/splunk
monitoringconsole/default/macros.conf
Checking: /opt/splunk/etc/apps/splunk
monitoringconsole/default/props.conf
Checking: /opt/splunk/etc/apps/splunk
monitoringconsole/default/savedsearches.conf
Checking: /opt/splunk/etc/apps/splunk
monitoringconsole/default/splunkmonitoringconsoleassets.conf
Checking: /opt/splunk/etc/apps/splunkmonitoringconsole/default/transforms.conf
Checking: /opt/splunk/etc/apps/splunkmonitoringconsole/default/visualizations.conf
Checking: /opt/splunk/etc/apps/user-prefs/default/app.conf
Checking: /opt/splunk/etc/apps/user-prefs/default/user-prefs.conf
Checking: /opt/splunk/etc/master-apps/cluster/default/indexes.conf
Checking: /opt/splunk/etc/system/default/alert
actions.conf
Checking: /opt/splunk/etc/system/default/app.conf
Checking: /opt/splunk/etc/system/default/audit.conf
Checking: /opt/splunk/etc/system/default/authentication.conf
Checking: /opt/splunk/etc/system/default/authorize.conf
Checking: /opt/splunk/etc/system/default/collections.conf
Checking: /opt/splunk/etc/system/default/commands.conf
No spec file for: /opt/splunk/etc/system/default/conf.conf
Checking: /opt/splunk/etc/system/default/datamodels.conf
Checking: /opt/splunk/etc/system/default/datatypesbnf.conf
Checking: /opt/splunk/etc/system/default/default-mode.conf
Checking: /opt/splunk/etc/system/default/distsearch.conf
Checking: /opt/splunk/etc/system/default/eventrenderers.conf
Checking: /opt/splunk/etc/system/default/eventdiscoverer.conf
Checking: /opt/splunk/etc/system/default/eventtypes.conf
Checking: /opt/splunk/etc/system/default/fields.conf
Checking: /opt/splunk/etc/system/default/health.conf
Checking: /opt/splunk/etc/system/default/indexes.conf
Checking: /opt/splunk/etc/system/default/inputs.conf
Checking: /opt/splunk/etc/system/default/limits.conf
Checking: /opt/splunk/etc/system/default/livetail.conf
Checking: /opt/splunk/etc/system/default/messages.conf
Checking: /opt/splunk/etc/system/default/multikv.conf
Checking: /opt/splunk/etc/system/default/outputs.conf
Checking: /opt/splunk/etc/system/default/procmon-filters.conf
Checking: /opt/splunk/etc/system/default/props.conf
Checking: /opt/splunk/etc/system/default/restmap.conf
Checking: /opt/splunk/etc/system/default/savedsearches.conf
Checking: /opt/splunk/etc/system/default/segmenters.conf
Checking: /opt/splunk/etc/system/default/server.conf
Checking: /opt/splunk/etc/system/default/serverclass.conf
Checking: /opt/splunk/etc/system/default/source-classifier.conf
Checking: /opt/splunk/etc/system/default/telemetry.conf
Checking: /opt/splunk/etc/system/default/times.conf
Checking: /opt/splunk/etc/system/default/transactiontypes.conf
Checking: /opt/splunk/etc/system/default/transforms.conf
Checking: /opt/splunk/etc/system/default/ui-prefs.conf
Checking: /opt/splunk/etc/system/default/ui-tour.conf
Checking: /opt/splunk/etc/system/default/viewstates.conf
Checking: /opt/splunk/etc/system/default/visualizations.conf
Checking: /opt/splunk/etc/system/default/web.conf
Checking: /opt/splunk/etc/system/default/workflow
actions.conf
Checking: /opt/splunk/etc/system/local/inputs.conf
No spec file for: /opt/splunk/etc/system/local/migration.conf
Checking: /opt/splunk/etc/system/local/server.conf

Tags (1)
0 Karma
Reply