Getting Data In

Upgraded to Splunk 5.0.3, and noticing "Undocumented key used in transforms.conf" messages during startup

Splunk Employee
Splunk Employee

After upgrading to Splunk 5.0.3, upon startup, I noticed the following messages:

Undocumented key used in transforms.conf; stanza='syslogout' setting='DESTKEY' key='SYSLOGROUTING'
Please resolve these problems by correcting typos in key names, or by adding them to [accepted
keys] in transforms.conf if they are intended.
All preliminary checks passed.

I do have SYSLOGROUTING setup in my transforms.conf as per splunk online doc for syslog out:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Forwarddatatothird-partysystemsd

And this configuration has been working fine prior to splunk 5.0.3 upgrade.

Splunk Employee
Splunk Employee

This is a known bug (SPL-68932) in Splunk 5.0.3. The message is rather harmless, and your SYSLOGROUTING should still works as usual.

You can either ignore the message during splunk startup, or by adding the following entries in your transforms.conf to make the message go away:

[acceptedkeys]
is
valid=SYSLOGROUTING

More details on this [accepted_keys] stanza here:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Transformsconf

Once you have made the above changes and restart splunk, the warning messages should go away.