Deployment Architecture

Cluster master cannot push configuration bundle due to validation error: "No spec file" and "Invalid key in stanza"

jreuter_splunk
Splunk Employee
Splunk Employee

I just installed some new apps (updated some as well) on my Splunk indexer cluster and attempted to push the bundle. When the bundle tries to push, I get the following errors:

In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. 
The following errors were encountered: No spec file for: C:\ProgramFiles\Splunk\etc\master-apps\Splunk_TA_cisco-ise\default\eventgen.conf ; 
Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] inC:\Program Files\Splunk\etc\master-apps\Splunk_TA_cisco-ise\default\workflow_actions.conf, line 10: ise.host (value: Please update ISE host information before enabling) ; 
Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] in C:\Program Files\Splunk\etc\master-apps\Splunk_TA_cisco-ise\default\workflow_actions.conf, line 11: ise.version (value: 1.2) ; …

I can’t push my bundle out as a result of this issue, what is causing this problem?

1 Solution

kserra_splunk
Splunk Employee
Splunk Employee

The error message is indicating that the cluster master is attempting to push .conf files for which is does not contain a valid SPEC file. For example the eventgen.conf does not exist as part of the default splunk install. Therefore if an app wants to leverage this file , it would need a corresponding SPEC file in order to utilize this eventgen.conf. Because this file is missing the bundle will flag the config as invalid and refuse to push it until it's resolved

You can fix this issue in one of a few ways

  • You can remove all instances of the problematic .conf files (this could possibly break app functionality)
  • If you recently upgraded an app and started getting this issue, you should make sure that when you upgraded you did not leave in place any .conf files that are no longer leveraged by the app
  • You can add in the spec files for the .conf files referenced, this will allow splunk to push out the cluster bundle and avoid the errors.
  • You can push the bundle to ignore these errors by adding the --skip-validation flag (not recommended unless you know what you are doing as this could cause bad conf to get pushed out)

If you find that an app is giving you these errors AND the spec file for that app is not included, you may want to alert the app developer of this problem.

View solution in original post

kserra_splunk
Splunk Employee
Splunk Employee

The error message is indicating that the cluster master is attempting to push .conf files for which is does not contain a valid SPEC file. For example the eventgen.conf does not exist as part of the default splunk install. Therefore if an app wants to leverage this file , it would need a corresponding SPEC file in order to utilize this eventgen.conf. Because this file is missing the bundle will flag the config as invalid and refuse to push it until it's resolved

You can fix this issue in one of a few ways

  • You can remove all instances of the problematic .conf files (this could possibly break app functionality)
  • If you recently upgraded an app and started getting this issue, you should make sure that when you upgraded you did not leave in place any .conf files that are no longer leveraged by the app
  • You can add in the spec files for the .conf files referenced, this will allow splunk to push out the cluster bundle and avoid the errors.
  • You can push the bundle to ignore these errors by adding the --skip-validation flag (not recommended unless you know what you are doing as this could cause bad conf to get pushed out)

If you find that an app is giving you these errors AND the spec file for that app is not included, you may want to alert the app developer of this problem.

guilmxm
Influencer

Hi kserra,

Please, have you more information about the condition required for these cluster bundle deployment message to appear ?

There is a user of the Nmon app mentioning the same message because of missing spec files:

https://answers.splunk.com/answers/368524/spec-files-missing-for-nmon-performance-monitor-fo.html#an...

Therefore, in my customers places running the app in indexer clustering or in my own env testing i have never met this message.

Is this verification step specific to certain configuration ? version ? OS ?

Thank you !

Guilhem

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...