Getting Data In

On startup, Splunk reports issues with the default prefs.conf file (invalid keys)

Path Finder

When I startup Splunk (v6.3.0 for Linux), I've notices warning message when Splunk is Checking conf files for problems.

It finds several issues with the default prefs.conf file, telling me several items have invalid keys.

  1. Not sure why the default file is coming up with errors. This has not been updated by us.
  2. Is prefs.conf used anymore? I thought this file was removed. It is not listed in the admin document as a conf file.
    I renamed the file and restarted, no warning messages, but then it complained it couldn't find default/prefs.conf.

What's the story with this behavior?


Tags (1)
0 Karma

Path Finder

The Splunk v6.4.0 tar has no prefs.conf. Has this file been deprecated now?

0 Karma

Splunk Employee
Splunk Employee

I recall at least one occurrence where the .spec file was not updated with 6.3, leading to startup warnings. Without knowing, which keys your installation complains about, it's hard to say whether you are experiencing the same issue. I would definitely try to upgrade to the latest 6.3.x version available on
And/Or, please update your question with the warnings you see.

0 Karma

Path Finder

I listed the warnings above. It's not so easy for me to just upgrade to the new version. I have to get a bunch of approvals before I can do that. However, it seems I have seem this in the past few upgrades I have done (6.2.2, 6.2.4 at the very least).

0 Karma


There is still a default prefs.conf file in 6.3. Check the manifest file in your SPLUNK_HOME directory, it has a list of the files from the installer.

Is this a new installation of Splunk or an upgrade? If its an upgrade, check to see if your etc/system/default/prefs.conf file is read-only. It could be that when you upgraded, you were unable to overwrite the file, and now Splunk is complaining. An easy fix would be to adjust the permissions on the existing file, pull a copy of the new file from the tar.gz installer and copy it over the existing one.

0 Karma

Path Finder

The manifest file I have for my 6.3.0 install still lists the default/prefs.conf. The file permissions are 440 instead of 444 listed in the manifest. Though all the files in the default directory have been at least touched by the upgrade. In the past if we've had permission issues, I see the errors immediately with the tarball deployment.

I pulled the file from the tar.gz installation and checked it against the installed file and the diff command reported no differences in the two files.

The warnings are about the following issues:
stanza [default]: line 23: clicksAppendToSearch (value: true)
stanza [default]: line 24: defaultTimeRange (value: startMonthsAgo=3)
stanza [default]: line 33: maxLines (value: 10)
stanza [default]: line 36: reportColumnList (value: [])
stanza [default]: line 37: chartLastPlotMode (value: column)
stanza [default]: line 49: dashboard_intro_getting_started (value: /static/html/getting_started.html)
stanza [default]: line 59: dashboard_customList_All_indexed_data_searches (value: .....)
stanza [default]: line 60: dashboard_customList_All_indexed_data_labels (value: Sources, Sourcetypes, Hosts)
stanza [default]: line 62: dashboard_customList_Saved_searches_searches (value: .....)
stanza [default]: line 63: dashboard_customList_Saved_searches_lables (value: )

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...