Getting Data In

Upgraded to Splunk 5.0.3, and noticing "Undocumented key used in transforms.conf" messages during startup

Splunk Employee
Splunk Employee

After upgrading to Splunk 5.0.3, upon startup, I noticed the following messages:

Undocumented key used in transforms.conf; stanza='syslogout' setting='DEST_KEY' key='_SYSLOG_ROUTING'
Please resolve these problems by correcting typos in key names, or by adding them to [accepted_keys] in transforms.conf if they are intended.
All preliminary checks passed.

I do have _SYSLOG_ROUTING setup in my transforms.conf as per splunk online doc for syslog out:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Forwarddatatothird-partysystemsd

And this configuration has been working fine prior to splunk 5.0.3 upgrade.

Splunk Employee
Splunk Employee

This is a known bug (SPL-68932) in Splunk 5.0.3. The message is rather harmless, and your _SYSLOG_ROUTING should still works as usual.

You can either ignore the message during splunk startup, or by adding the following entries in your transforms.conf to make the message go away:

[accepted_keys]
is_valid=_SYSLOG_ROUTING

More details on this [accepted_keys] stanza here:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Transformsconf

Once you have made the above changes and restart splunk, the warning messages should go away.

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!