Checking conf files for problems...
Improper stanza [dhcpd_server_dhcprelease] in /opt/splunk/etc/apps/unix/default/tags.conf, line 30
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
When I run splunk btool check --debug, I get these errors
No spec file for: /opt/splunk/etc/apps/SA-Hydra/default/hydra_gateway.conf
No spec file for: /opt/splunk/etc/apps/SA-Hydra/default/hydra_node.conf
No spec file for: /opt/splunk/etc/apps/SA-ldapsearch/default/ldap.conf
No spec file for: /opt/splunk/etc/apps/SA-ldapsearch/default/logging.conf
No spec file for: /opt/splunk/etc/apps/Splunk_TA_nix/default/eventgen.conf
No spec file for: /opt/splunk/etc/apps/Splunk_TA_ontap/default/hydra_node.conf
No spec file for: /opt/splunk/etc/apps/Splunk_TA_ontap/default/ta_ontap_collection.conf
No spec file for: /opt/splunk/etc/apps/ossec/default/ossec_servers.conf
No spec file for: /opt/splunk/etc/apps/splunk_management_console/default/logging.conf
No spec file for: /opt/splunk/etc/apps/unix/default/eventgen.conf
No spec file for: /opt/splunk/etc/system/default/conf.conf
No spec file for: /opt/splunk/etc/system/default/prefs.conf
No spec file for: /opt/splunk/etc/system/local/migration.conf
To solve the problem, I double checked the output of splunk btool check --debug | grep -i improper
. I found out that there are two configuration files which define [dhcpd_server_dhcpreleases]
.
1. /opt/splunk/etc/apps/Splunk_TA_nix/default/tags.conf
2. /opt/splunk/etc/apps/unix/default/tags.conf
I know that we shouldn't change any entries in "default" config files but, if I changed the [dhcpd_server_dhcpreleases]
to [eventtype=dhcpd_server_dhcpreleases]
in both config files, the error Messages are gone.
Hope that helps.
This solved the problem for me. I did not have /opt/splunk/etc/apps/unix/default/tags.conf. I only changed the entry in Splunk_TA_nix/default/tags.conf and that worked.
reinstall your splunk 6.2.
I had the same problem with my splunk6.2 version I have changes to make another version "splunk-6.2.0-237341-Linux-i686.tgz" that I installed without removing the other, and that is ok because when I run ./splunk btool check --debug, I have the following:
Checking: /opt/splunk/etc/system/default/outputs.conf
Checking: /opt/splunk/etc/system/default/pdf_server.conf
No spec file for: /opt/splunk/etc/system/default/prefs.conf
Checking: /opt/splunk/etc/system/default/procmon-filters.conf
Checking: /opt/splunk/etc/system/default/props.conf
Checking: /opt/splunk/etc/system/default/restmap.conf
Checking: /opt/splunk/etc/system/default/times.conf
Checking: /opt/splunk/etc/system/default/viewstates.conf
Checking: /opt/splunk/etc/system/default/web.conf
Checking: /opt/splunk/etc/system/default/workflow_actions.conf
Checking: /opt/splunk/etc/system/local/inputs.conf
No spec file for: /opt/splunk/etc/system/local/migration.conf
Checking: /opt/splunk/etc/system/local/server.conf
............
see my configuration in /opt/splunk/etc/apps/Splunk_TA_nix/default/tags.conf file.
###### DHCP ######
[eventtype=dhcpd_server]
dhcp = enabled
network = enabled
session = enabled
unix = enabled
[eventtype=dhcpd_start]
start = enabled
[eventtype=dhcpd_unable_unexpected]
error = enabled
[dhcpd_server_dhcprelease]
end = enabled
Hi there,
we have exaclty the same message when we start/restart our splunk indexer.
Does anyone know where the issue come from?
Kind regards.
nobody knows how to resolve this problem?