Getting Data In

Getting an "Invalid key in stanza" errors for the Splunk Windows Universal agent configured with default configuration ?

Hemnaath
Motivator

Hi All, We are recently upgrade to the latest version of the Universal forwarder 6.6.1 as we moved Entire splunk instance from 6.2.1 to 6.6.1. We have configured a customized app for windows monitoring. But currently we are getting the below error message when the agents are restarted and we are not sure why this error message are popped out.

Error details :

Invalid key in stanza [WinEventLog:Application] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 10: ignoreOlderThan (value: 2d).
Invalid key in stanza [WinEventLog:Application] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 11: checkpointInterval (value: 5).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 16:ignoreOlderThan (value: 2d).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 17:current_only (value: 0).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 18:evt_resolve_ad_obj (value: 1).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 19:checkpointInterval (value: 5).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 24: start_from (value: oldest).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 25: current_only (value: 0).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 26: checkpointInterval (value: 5).

Configuration details in inputs.conf -- Partial configuration not full configuration.
[default]
evt_dc_name =
evt_dns_name =

OS Logs

[WinEventLog:Application]
disabled = 0
current_only = 0
ignoreOlderThan = 2d
checkpointInterval = 5
index = windows

[WinEventLog:Security]
disabled = 0
ignoreOlderThan = 2d
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows

[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows

Can anyone help me in fixing this issue.
thanks in advance

Tags (2)
0 Karma
1 Solution

spayneort
Contributor
  1. Change your stanzas to have slashes: [WinEventLog://Application], etc.

  2. Remove the "ignoreOlderThan" lines. That is for monitor:// inputs, not WinEventLog://.

https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf

View solution in original post

spayneort
Contributor
  1. Change your stanzas to have slashes: [WinEventLog://Application], etc.

  2. Remove the "ignoreOlderThan" lines. That is for monitor:// inputs, not WinEventLog://.

https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf

Hemnaath
Motivator

Hi Spayneort, thanks for your effort on this issue, so do you mean I need to remove the "ignoreOlderThan" stanza from the inputs.conf file. But will that fix other invalid key issues like checkpointInterval, start_from,evt_resolve_ad_obj and current_only.

OS Logs
[WinEventLog://Application]
disabled = 0
current_only = 0

ignoreOlderThan = 2d

checkpointInterval = 5
index = windows

[WinEventLog://Security]
disabled = 0

ignoreOlderThan = 2d

current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows

Kindly let me know the modified stanza will fix the issue, as we have almost 2500 Windows UF agents is running with this stanza. So I need to be careful enough before using it. Please let me know whether this will fix the issue.

thanks in advance.

0 Karma

Hemnaath
Motivator

Hi Spayneort, Can I update the above stanza, as you had mentioned in the comments.
Kindly let me know on this, need to update the same in prod environment.

thanks in advance.

0 Karma

Hemnaath
Motivator

Hi Spayneort, after making the above changes in the inputs.conf the Invalid key in stanza got fixed.

OS Logs
[WinEventLog://Application]
disabled = 0
current_only = 0

ignoreOlderThan = 2d

checkpointInterval = 5
index = windows

[WinEventLog://Security]
disabled = 0

ignoreOlderThan = 2d

current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows

thanks.

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...