Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Cluster master cannot push configuration bundle due to validation error: "No spec file" and "Invalid key in stanza"

jreuter_splunk
Splunk Employee
Splunk Employee
‎07-20-2015 12:45 PM

I just installed some new apps (updated some as well) on my Splunk indexer cluster and attempted to push the bundle. When the bundle tries to push, I get the following errors:

In handler 'clustermastercontrol': The Master could not push the latest configuration bundle because it contains an invalid configuration. Fix any errors and push the bundle again. Alternatively, you can skip the validation process like this: "splunk apply cluster-bundle --skip-validation". Use this option carefully, as it can cause the master to push an invalid configuration to the peers. 
The following errors were encountered: No spec file for: C:\ProgramFiles\Splunk\etc\master-apps\Splunk_TA_cisco-ise\default\eventgen.conf ; 
Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] inC:\Program Files\Splunk\etc\master-apps\Splunk_TA_cisco-ise\default\workflow_actions.conf, line 10: ise.host (value: Please update ISE host information before enabling) ; 
Invalid key in stanza [EPS_Quarantine_By_Framed_IP_Address] in C:\Program Files\Splunk\etc\master-apps\Splunk_TA_cisco-ise\default\workflow_actions.conf, line 11: ise.version (value: 1.2) ; …

I can’t push my bundle out as a result of this issue, what is causing this problem?

Reply
1 Solution
Solved! Jump to solution
Solution

kserra_splunk
Splunk Employee
Splunk Employee
‎07-20-2015 12:52 PM

The error message is indicating that the cluster master is attempting to push .conf files for which is does not contain a valid SPEC file. For example the eventgen.conf does not exist as part of the default splunk install. Therefore if an app wants to leverage this file , it would need a corresponding SPEC file in order to utilize this eventgen.conf. Because this file is missing the bundle will flag the config as invalid and refuse to push it until it's resolved

You can fix this issue in one of a few ways

  • You can remove all instances of the problematic .conf files (this could possibly break app functionality)
  • If you recently upgraded an app and started getting this issue, you should make sure that when you upgraded you did not leave in place any .conf files that are no longer leveraged by the app
  • You can add in the spec files for the .conf files referenced, this will allow splunk to push out the cluster bundle and avoid the errors.
  • You can push the bundle to ignore these errors by adding the --skip-validation flag (not recommended unless you know what you are doing as this could cause bad conf to get pushed out)

If you find that an app is giving you these errors AND the spec file for that app is not included, you may want to alert the app developer of this problem.

View solution in original post

Reply
Solved! Jump to solution
Solution

kserra_splunk
Splunk Employee
Splunk Employee
‎07-20-2015 12:52 PM

The error message is indicating that the cluster master is attempting to push .conf files for which is does not contain a valid SPEC file. For example the eventgen.conf does not exist as part of the default splunk install. Therefore if an app wants to leverage this file , it would need a corresponding SPEC file in order to utilize this eventgen.conf. Because this file is missing the bundle will flag the config as invalid and refuse to push it until it's resolved

You can fix this issue in one of a few ways

  • You can remove all instances of the problematic .conf files (this could possibly break app functionality)
  • If you recently upgraded an app and started getting this issue, you should make sure that when you upgraded you did not leave in place any .conf files that are no longer leveraged by the app
  • You can add in the spec files for the .conf files referenced, this will allow splunk to push out the cluster bundle and avoid the errors.
  • You can push the bundle to ignore these errors by adding the --skip-validation flag (not recommended unless you know what you are doing as this could cause bad conf to get pushed out)

If you find that an app is giving you these errors AND the spec file for that app is not included, you may want to alert the app developer of this problem.

Reply
Solved! Jump to solution

guilmxm
Influencer
‎02-25-2016 10:44 AM

Hi kserra,

Please, have you more information about the condition required for these cluster bundle deployment message to appear ?

There is a user of the Nmon app mentioning the same message because of missing spec files:

https://answers.splunk.com/answers/368524/spec-files-missing-for-nmon-performance-monitor-fo.html#an...

Therefore, in my customers places running the app in indexer clustering or in my own env testing i have never met this message.

Is this verification step specific to certain configuration ? version ? OS ?

Thank you !

Guilhem

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...