Getting Data In

Upgraded to Splunk 5.0.3, and noticing "Undocumented key used in transforms.conf" messages during startup

Splunk Employee
Splunk Employee

After upgrading to Splunk 5.0.3, upon startup, I noticed the following messages:

Undocumented key used in transforms.conf; stanza='syslogout' setting='DEST_KEY' key='_SYSLOG_ROUTING'
Please resolve these problems by correcting typos in key names, or by adding them to [accepted_keys] in transforms.conf if they are intended.
All preliminary checks passed.

I do have _SYSLOG_ROUTING setup in my transforms.conf as per splunk online doc for syslog out:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Forwarddatatothird-partysystemsd

And this configuration has been working fine prior to splunk 5.0.3 upgrade.

Splunk Employee
Splunk Employee

This is a known bug (SPL-68932) in Splunk 5.0.3. The message is rather harmless, and your _SYSLOG_ROUTING should still works as usual.

You can either ignore the message during splunk startup, or by adding the following entries in your transforms.conf to make the message go away:

[accepted_keys]
is_valid=_SYSLOG_ROUTING

More details on this [accepted_keys] stanza here:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Transformsconf

Once you have made the above changes and restart splunk, the warning messages should go away.