Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cluster master cannot push configuration bundle due to validation error: "No spec file" and "Invalid key in stanza"

jreuter_splunk
Splunk Employee
Splunk Employee
‎07-20-2015 12:45 PM

I just installed some new apps (updated some as well) on my Splunk indexer cluster and attempted to push the bundle. When the bundle tries to push, I get the following errors:

In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. 
The following errors were encountered: No spec file for: C:\ProgramFiles\Splunk\etc\master-apps\Splunk_TA_cisco-ise\default\eventgen.conf ; 
Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] inC:\Program Files\Splunk\etc\master-apps\Splunk_TA_cisco-ise\default\workflow_actions.conf, line 10: ise.host (value: Please update ISE host information before enabling) ; 
Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] in C:\Program Files\Splunk\etc\master-apps\Splunk_TA_cisco-ise\default\workflow_actions.conf, line 11: ise.version (value: 1.2) ; …

I can’t push my bundle out as a result of this issue, what is causing this problem?

Reply
1 Solution
Solved! Jump to solution
Solution

kserra_splunk
Splunk Employee
Splunk Employee
‎07-20-2015 12:52 PM

The error message is indicating that the cluster master is attempting to push .conf files for which is does not contain a valid SPEC file. For example the eventgen.conf does not exist as part of the default splunk install. Therefore if an app wants to leverage this file , it would need a corresponding SPEC file in order to utilize this eventgen.conf. Because this file is missing the bundle will flag the config as invalid and refuse to push it until it's resolved

You can fix this issue in one of a few ways

  • You can remove all instances of the problematic .conf files (this could possibly break app functionality)
  • If you recently upgraded an app and started getting this issue, you should make sure that when you upgraded you did not leave in place any .conf files that are no longer leveraged by the app
  • You can add in the spec files for the .conf files referenced, this will allow splunk to push out the cluster bundle and avoid the errors.
  • You can push the bundle to ignore these errors by adding the --skip-validation flag (not recommended unless you know what you are doing as this could cause bad conf to get pushed out)

If you find that an app is giving you these errors AND the spec file for that app is not included, you may want to alert the app developer of this problem.

View solution in original post

Reply
Solved! Jump to solution
Solution

kserra_splunk
Splunk Employee
Splunk Employee
‎07-20-2015 12:52 PM

The error message is indicating that the cluster master is attempting to push .conf files for which is does not contain a valid SPEC file. For example the eventgen.conf does not exist as part of the default splunk install. Therefore if an app wants to leverage this file , it would need a corresponding SPEC file in order to utilize this eventgen.conf. Because this file is missing the bundle will flag the config as invalid and refuse to push it until it's resolved

You can fix this issue in one of a few ways

  • You can remove all instances of the problematic .conf files (this could possibly break app functionality)
  • If you recently upgraded an app and started getting this issue, you should make sure that when you upgraded you did not leave in place any .conf files that are no longer leveraged by the app
  • You can add in the spec files for the .conf files referenced, this will allow splunk to push out the cluster bundle and avoid the errors.
  • You can push the bundle to ignore these errors by adding the --skip-validation flag (not recommended unless you know what you are doing as this could cause bad conf to get pushed out)

If you find that an app is giving you these errors AND the spec file for that app is not included, you may want to alert the app developer of this problem.

Reply
Solved! Jump to solution

guilmxm
Influencer
‎02-25-2016 10:44 AM

Hi kserra,

Please, have you more information about the condition required for these cluster bundle deployment message to appear ?

There is a user of the Nmon app mentioning the same message because of missing spec files:

https://answers.splunk.com/answers/368524/spec-files-missing-for-nmon-performance-monitor-fo.html#an...

Therefore, in my customers places running the app in indexer clustering or in my own env testing i have never met this message.

Is this verification step specific to certain configuration ? version ? OS ?

Thank you !

Guilhem

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...