Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Invalid key in stanza - kv_mode (value: xml)

mariannedave
Explorer
‎04-14-2021 08:39 PM

There are no data being index from our setup below. Does "Invalid key in stanza ..... line 36: kv_mode (value: xml)" is the reason? If yes, what's wrong with KV_MODE = xml?

From Splunk Logs:
04-14-2021 19:34:49.555 +0200 WARN Application - Invalid key in stanza [XXXX] in /opt/splunk/etc/deployment-apps/XXXXXX/local/props.conf, line 36: kv_mode (value: xml).\n

 

props.conf

27: [XXXX]
28: BREAK_ONLY_BEFORE = goblygook
29: MAX_EVENTS = 200000
30: DATETIME_CONFIG = NONE
31: CHECK_METHOD = modtime
32: pulldown_type = true
33: LEARN_MODEL = false
34: SHOULD_LINEMERGE = true
35: TRUNCATE = 0
36: KV_MODE = xml
37: TRANSFORMS-set = setnull, accept_xml_files

transforms.conf

####################
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue

[accept_xml_files]
REGEX = <?xml version
DEST_KEY = queue
FORMAT = indexQueue

####################

 

inputs.conf

[monitor:///path/*.xml]
index = idx_sample
sourcetype = XXXX
crcSalt = <SOURCE>
initCrcLength = 512

 

Thank you.

Labels (1)
Labels
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...