Getting Data In

Upgraded to Splunk 5.0.3, and noticing "Undocumented key used in transforms.conf" messages during startup

bmignosa_splunk
Splunk Employee
Splunk Employee

After upgrading to Splunk 5.0.3, upon startup, I noticed the following messages:

Undocumented key used in transforms.conf; stanza='syslogout' setting='DEST_KEY' key='_SYSLOG_ROUTING'
Please resolve these problems by correcting typos in key names, or by adding them to [accepted_keys] in transforms.conf if they are intended.
All preliminary checks passed.

I do have _SYSLOG_ROUTING setup in my transforms.conf as per splunk online doc for syslog out:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Forwarddatatothird-partysystemsd

And this configuration has been working fine prior to splunk 5.0.3 upgrade.

splunkIT
Splunk Employee
Splunk Employee

This is a known bug (SPL-68932) in Splunk 5.0.3. The message is rather harmless, and your _SYSLOG_ROUTING should still works as usual.

You can either ignore the message during splunk startup, or by adding the following entries in your transforms.conf to make the message go away:

[accepted_keys]
is_valid=_SYSLOG_ROUTING

More details on this [accepted_keys] stanza here:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Transformsconf

Once you have made the above changes and restart splunk, the warning messages should go away.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...