Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Getting an "Invalid key in stanza" errors for the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All, We are recently upgrade to the latest version of the Universal forwarder 6.6.1 as we moved Entire splunk instance from 6.2.1 to 6.6.1. We have configured a customized app for windows monitoring. But currently we are getting the below error message when the agents are restarted and we are not sure why this error message are popped out.
Error details :
Invalid key in stanza [WinEventLog:Application] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 10: ignoreOlderThan (value: 2d).
Invalid key in stanza [WinEventLog:Application] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 11: checkpointInterval (value: 5).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 16:ignoreOlderThan (value: 2d).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 17:current_only (value: 0).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 18:evt_resolve_ad_obj (value: 1).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 19:checkpointInterval (value: 5).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 24: start_from (value: oldest).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 25: current_only (value: 0).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 26: checkpointInterval (value: 5).
Configuration details in inputs.conf -- Partial configuration not full configuration.
[default]
evt_dc_name =
evt_dns_name =
OS Logs
[WinEventLog:Application]
disabled = 0
current_only = 0
ignoreOlderThan = 2d
checkpointInterval = 5
index = windows
[WinEventLog:Security]
disabled = 0
ignoreOlderThan = 2d
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows
[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows
Can anyone help me in fixing this issue.
thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change your stanzas to have slashes: [WinEventLog://Application], etc.
Remove the "ignoreOlderThan" lines. That is for monitor:// inputs, not WinEventLog://.
https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change your stanzas to have slashes: [WinEventLog://Application], etc.
Remove the "ignoreOlderThan" lines. That is for monitor:// inputs, not WinEventLog://.
https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Spayneort, thanks for your effort on this issue, so do you mean I need to remove the "ignoreOlderThan" stanza from the inputs.conf file. But will that fix other invalid key issues like checkpointInterval, start_from,evt_resolve_ad_obj and current_only.
OS Logs
[WinEventLog://Application]
disabled = 0
current_only = 0
ignoreOlderThan = 2d
checkpointInterval = 5
index = windows
[WinEventLog://Security]
disabled = 0
ignoreOlderThan = 2d
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows
Kindly let me know the modified stanza will fix the issue, as we have almost 2500 Windows UF agents is running with this stanza. So I need to be careful enough before using it. Please let me know whether this will fix the issue.
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Spayneort, Can I update the above stanza, as you had mentioned in the comments.
Kindly let me know on this, need to update the same in prod environment.
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Spayneort, after making the above changes in the inputs.conf the Invalid key in stanza got fixed.
OS Logs
[WinEventLog://Application]
disabled = 0
current_only = 0
ignoreOlderThan = 2d
checkpointInterval = 5
index = windows
[WinEventLog://Security]
disabled = 0
ignoreOlderThan = 2d
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows
thanks.
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
Data Persistence in the OpenTelemetry Collector
Thanks for the Memories! Splunk University, .conf25, and our Community
