Installation

Why are their errors on new UF 9.0.0 installation on Ubuntu 22.04 ( armv8 )?

Lindquist91
New Member

Hi,

I decided to spin up my Splunk home environment again, and I'm running into an issue this time while installing my UF 9.0 on my Raspberry Pi. It's a Pi 4 B running Ubuntu 22.04.1 LTS on aarch64 architecture.

I followed install instructions according to the installing a UNIX forwarder page from Splunk,

and used the following bundle "splunkforwarder-9.0.0-6818ac46f2ec-Linux-armv8.tgz" .

After getting some normal permissions things out of the way, I started the forwarder, this time it's giving me the error:

 

 

 

Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false).

 

 

 


Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'

 

so after running splunk btool check --debug | grep ' No spec' and 'Invalid' (these are all the errors types btool reported on) it returns the following after a clean install:

 

 

 

No spec file for: /opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/default/app.conf
No spec file for: /opt/splunkforwarder/etc/apps/introspection_generator_addon/default/app.conf
No spec file for: /opt/splunkforwarder/etc/apps/search/default/app.conf
No spec file for: /opt/splunkforwarder/etc/apps/splunk_internal_metrics/default/app.conf
No spec file for: /opt/splunkforwarder/etc/manager-apps/_cluster/default/indexes.conf
No spec file for: /opt/splunkforwarder/etc/system/default/app.conf
No spec file for: /opt/splunkforwarder/etc/system/default/conf.conf
No spec file for: /opt/splunkforwarder/etc/system/default/federated.conf
No spec file for: /opt/splunkforwarder/etc/system/default/telemetry.conf

Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false).

 

 

 

 I cannot really find answers on this topic. mostly related to other apps that people installed, but I only installed the universal forwarder, nothing else. I also am not sure what is the answer to the invalid key in the stanza for actions.conf and would like to know if there is a fix.

I also found the following error, and read  online that it's not impacting the functionality of Splunk, but is there a way to suppress them and how can I be sure that it's not an issue?

 

 

 

Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforward

 

 

 

my /opt/ permissions:

 

 

 

splunk@hostname:/opt/splunkforwarder$ ls -lia /opt
148855 drwxr-xr-x 10 splunk splunk 4096 Aug 12 15:47 splunkforwarder

 

 

 

Any help would be appreciated on this. I am trying to get the cleanest start possible, because on my last run I had a problem with the way my data was being ingested (the 'sourcetype too small' problem) and i wasn't able to fix it back then.

Kind regards

Labels (2)
Tags (2)
0 Karma

ldongradi_splun
Splunk Employee
Splunk Employee

 

Invalid key in stanza [webhook] 

 

This is a bug in 9.0.0 Updating should get rid of it.

If you want to remove the message without updating, you can edit 

 

/opt/splunkforwarder/etc/system/default/alert_actions.conf

 

and remove the line 229 : enable_allowlist = false

But this will have a impact on the manifest check at start, as you're not supposed to edit files provided with the installation.

 

You could also edit the manifest file and remove the line which checks for this specific aler_actions.conf, but splunk support may ask for the original manifest file if you open a case with them.

 

 

About 

Warning: Attempting to revert the SPLUNK_HOME ownership
Warning: Executing "chown -R splunk /opt/splunkforward

This is a automatic message since version 9 everytime you type a splunk command line.

At this time the correct procedure to get rid of this is not clearly defined, as far as I know.

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...