Getting Data In

Getting an "Invalid key in stanza" errors for the Splunk Windows Universal agent configured with default configuration ?

Hemnaath
Motivator

Hi All, We are recently upgrade to the latest version of the Universal forwarder 6.6.1 as we moved Entire splunk instance from 6.2.1 to 6.6.1. We have configured a customized app for windows monitoring. But currently we are getting the below error message when the agents are restarted and we are not sure why this error message are popped out.

Error details :

Invalid key in stanza [WinEventLog:Application] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 10: ignoreOlderThan (value: 2d).
Invalid key in stanza [WinEventLog:Application] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 11: checkpointInterval (value: 5).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 16:ignoreOlderThan (value: 2d).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 17:current_only (value: 0).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 18:evt_resolve_ad_obj (value: 1).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 19:checkpointInterval (value: 5).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 24: start_from (value: oldest).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 25: current_only (value: 0).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 26: checkpointInterval (value: 5).

Configuration details in inputs.conf -- Partial configuration not full configuration.
[default]
evt_dc_name =
evt_dns_name =

OS Logs

[WinEventLog:Application]
disabled = 0
current_only = 0
ignoreOlderThan = 2d
checkpointInterval = 5
index = windows

[WinEventLog:Security]
disabled = 0
ignoreOlderThan = 2d
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows

[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows

Can anyone help me in fixing this issue.
thanks in advance

Tags (2)
0 Karma
1 Solution

spayneort
Contributor
  1. Change your stanzas to have slashes: [WinEventLog://Application], etc.

  2. Remove the "ignoreOlderThan" lines. That is for monitor:// inputs, not WinEventLog://.

https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf

View solution in original post

spayneort
Contributor
  1. Change your stanzas to have slashes: [WinEventLog://Application], etc.

  2. Remove the "ignoreOlderThan" lines. That is for monitor:// inputs, not WinEventLog://.

https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf

View solution in original post

Hemnaath
Motivator

Hi Spayneort, thanks for your effort on this issue, so do you mean I need to remove the "ignoreOlderThan" stanza from the inputs.conf file. But will that fix other invalid key issues like checkpointInterval, start_from,evt_resolve_ad_obj and current_only.

OS Logs
[WinEventLog://Application]
disabled = 0
current_only = 0

ignoreOlderThan = 2d

checkpointInterval = 5
index = windows

[WinEventLog://Security]
disabled = 0

ignoreOlderThan = 2d

current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows

Kindly let me know the modified stanza will fix the issue, as we have almost 2500 Windows UF agents is running with this stanza. So I need to be careful enough before using it. Please let me know whether this will fix the issue.

thanks in advance.

0 Karma

Hemnaath
Motivator

Hi Spayneort, Can I update the above stanza, as you had mentioned in the comments.
Kindly let me know on this, need to update the same in prod environment.

thanks in advance.

0 Karma

Hemnaath
Motivator

Hi Spayneort, after making the above changes in the inputs.conf the Invalid key in stanza got fixed.

OS Logs
[WinEventLog://Application]
disabled = 0
current_only = 0

ignoreOlderThan = 2d

checkpointInterval = 5
index = windows

[WinEventLog://Security]
disabled = 0

ignoreOlderThan = 2d

current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows

thanks.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!