Solved: Invalid key in stanza in Splunk_TA_windows version...

ketilolav · ‎06-22-2021

Hi,

I just installed Splunk_TA_windows on my windows 2016 server. The server is running the splunk uf version 7.3.x and this is a new install.

I am getting this error msg during startup of the Splunk UF and when I run the btool command

'C:\Program Files\splunkuniversalforwarder\bin\splunk.exe' btool check debug

Checking: C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf
Invalid key in stanza [user_account_control_property] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 10: external_cmd (value: user_account_control_property.py user
AccountControl userAccountPropertyFlag).
Invalid key in stanza [user_account_control_property] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 11: external_type (value: python).
Invalid key in stanza [user_account_control_property] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 12: fields_list (value: userAccountControl,userAccountProperty
Flag).
Invalid key in stanza [dhcp_discard_headers] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 19: REGEX (value: ^(?:[^\d]+|\d+[^\d,])).
Invalid key in stanza [dhcp_discard_headers] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 20: DEST_KEY (value: queue).
Invalid key in stanza [dhcp_discard_headers] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 21: FORMAT (value: nullQueue).
Invalid key in stanza [auto_kv_for_microsoft_dhcp] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 24: DELIMS (value: ",").
Invalid key in stanza [auto_kv_for_microsoft_dhcp] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 25: FIELDS (value: msdhcp_id,date,time,description,ip,nt_host,mac
).
Invalid key in stanza [msdhcp_signature_lookup] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 28: filename (value: msdhcp_signatures.csv).

<......SNIP ...>

Invalid key in stanza [dns_recordclass_lookup] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 1267: filename (value: dns_recordclass_lookup.csv).
Invalid key in stanza [geo_us_states] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 2: external_type (value: geo).
Invalid key in stanza [geo_us_states] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 3: filename (value: geo_us_states.kmz).
Invalid key in stanza [geo_countries] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 6: external_type (value: geo).
Invalid key in stanza [geo_countries] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 7: filename (value: geo_countries.kmz).
Invalid key in stanza [geo_attr_us_states] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 10: filename (value: geo_attr_us_states.csv).
Invalid key in stanza [geo_attr_countries] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 13: filename (value: geo_attr_countries.csv).
Invalid key in stanza [geo_hex] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 16: external_type (value: geo_hex).

Looks like there's a syntax error on every line in de default transforms.conf file.

Upgraded from Splunk UF 7.3.3 to Splunk UF 7.3.9 - same problem.

This is a default Splunk UF install. No other application is deployed to this UF.

ketilolav · ‎08-17-2021

Hi,

Transforms.conf is part of the TA, BUT transforms should be done on the indexer. The forwarder doesn’t know this, and does not have a transforms.conf.spec file because it is not anticipating having to do any of that work. That is where the errors come in. Modify the TA when putting it on the UF by adjusting (or removing) said files. In my case, I renamed the transforms.conf to transforms.conf.old. (2) ignore the messages, as it will work fine anyway.

Then I deployed the transforms.conf to my indexers.

Hope this gives you some clarity about what's going on.

Best,

View solution in original post

jonxilinx · ‎08-17-2021

sorry , not an answer , but i have the same problem with running windows8.1.2 or 8.0.0 on 7.3.X

It works on 8.1.X windows UF
It is also good on Unix 7.3.6 Search heads (no btool,errors at restart)

but lots of stanza errors are introduced , including in other apps if we deploy to windows UF

Note we have just decided to migrate from 5.0 to 7.0 for the windows TA until we can complete the 7.3.X UF upgrades

If anyone has a soln to it not working I would be glad to hear abut it

ketilolav · ‎08-17-2021

Hi,

Transforms.conf is part of the TA, BUT transforms should be done on the indexer. The forwarder doesn’t know this, and does not have a transforms.conf.spec file because it is not anticipating having to do any of that work. That is where the errors come in. Modify the TA when putting it on the UF by adjusting (or removing) said files. In my case, I renamed the transforms.conf to transforms.conf.old. (2) ignore the messages, as it will work fine anyway.

Then I deployed the transforms.conf to my indexers.

Hope this gives you some clarity about what's going on.

Best,

Invalid key in stanza in Splunk_TA_windows version 8.1.2

forwarder

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk