Deployment Architecture

Cluster master cannot push configuration bundle due to validation error: "No spec file" and "Invalid key in stanza"

jreuter_splunk
Splunk Employee
Splunk Employee

I just installed some new apps (updated some as well) on my Splunk indexer cluster and attempted to push the bundle. When the bundle tries to push, I get the following errors:

In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. 
The following errors were encountered: No spec file for: C:\ProgramFiles\Splunk\etc\master-apps\Splunk_TA_cisco-ise\default\eventgen.conf ; 
Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] inC:\Program Files\Splunk\etc\master-apps\Splunk_TA_cisco-ise\default\workflow_actions.conf, line 10: ise.host (value: Please update ISE host information before enabling) ; 
Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] in C:\Program Files\Splunk\etc\master-apps\Splunk_TA_cisco-ise\default\workflow_actions.conf, line 11: ise.version (value: 1.2) ; …

I can’t push my bundle out as a result of this issue, what is causing this problem?

1 Solution

kserra_splunk
Splunk Employee
Splunk Employee

The error message is indicating that the cluster master is attempting to push .conf files for which is does not contain a valid SPEC file. For example the eventgen.conf does not exist as part of the default splunk install. Therefore if an app wants to leverage this file , it would need a corresponding SPEC file in order to utilize this eventgen.conf. Because this file is missing the bundle will flag the config as invalid and refuse to push it until it's resolved

You can fix this issue in one of a few ways

  • You can remove all instances of the problematic .conf files (this could possibly break app functionality)
  • If you recently upgraded an app and started getting this issue, you should make sure that when you upgraded you did not leave in place any .conf files that are no longer leveraged by the app
  • You can add in the spec files for the .conf files referenced, this will allow splunk to push out the cluster bundle and avoid the errors.
  • You can push the bundle to ignore these errors by adding the --skip-validation flag (not recommended unless you know what you are doing as this could cause bad conf to get pushed out)

If you find that an app is giving you these errors AND the spec file for that app is not included, you may want to alert the app developer of this problem.

View solution in original post

kserra_splunk
Splunk Employee
Splunk Employee

The error message is indicating that the cluster master is attempting to push .conf files for which is does not contain a valid SPEC file. For example the eventgen.conf does not exist as part of the default splunk install. Therefore if an app wants to leverage this file , it would need a corresponding SPEC file in order to utilize this eventgen.conf. Because this file is missing the bundle will flag the config as invalid and refuse to push it until it's resolved

You can fix this issue in one of a few ways

  • You can remove all instances of the problematic .conf files (this could possibly break app functionality)
  • If you recently upgraded an app and started getting this issue, you should make sure that when you upgraded you did not leave in place any .conf files that are no longer leveraged by the app
  • You can add in the spec files for the .conf files referenced, this will allow splunk to push out the cluster bundle and avoid the errors.
  • You can push the bundle to ignore these errors by adding the --skip-validation flag (not recommended unless you know what you are doing as this could cause bad conf to get pushed out)

If you find that an app is giving you these errors AND the spec file for that app is not included, you may want to alert the app developer of this problem.

guilmxm
Influencer

Hi kserra,

Please, have you more information about the condition required for these cluster bundle deployment message to appear ?

There is a user of the Nmon app mentioning the same message because of missing spec files:

https://answers.splunk.com/answers/368524/spec-files-missing-for-nmon-performance-monitor-fo.html#an...

Therefore, in my customers places running the app in indexer clustering or in my own env testing i have never met this message.

Is this verification step specific to certain configuration ? version ? OS ?

Thank you !

Guilhem

Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...