Monitoring Splunk

Invalid key in stanza in Splunk_TA_windows version 8.1.2

ketilolav
Explorer

Hi, 

I just installed Splunk_TA_windows on my windows 2016 server. The server is running the splunk uf version 7.3.x and this is a new install.  

I am getting this error msg during startup of the Splunk UF and when I run the btool command 

 'C:\Program Files\splunkuniversalforwarder\bin\splunk.exe' btool check debug 

Checking: C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf
Invalid key in stanza [user_account_control_property] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 10: external_cmd (value: user_account_control_property.py user
AccountControl userAccountPropertyFlag).
Invalid key in stanza [user_account_control_property] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 11: external_type (value: python).
Invalid key in stanza [user_account_control_property] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 12: fields_list (value: userAccountControl,userAccountProperty
Flag).
Invalid key in stanza [dhcp_discard_headers] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 19: REGEX (value: ^(?:[^\d]+|\d+[^\d,])).
Invalid key in stanza [dhcp_discard_headers] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 20: DEST_KEY (value: queue).
Invalid key in stanza [dhcp_discard_headers] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 21: FORMAT (value: nullQueue).
Invalid key in stanza [auto_kv_for_microsoft_dhcp] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 24: DELIMS (value: ",").
Invalid key in stanza [auto_kv_for_microsoft_dhcp] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 25: FIELDS (value: msdhcp_id,date,time,description,ip,nt_host,mac
).
Invalid key in stanza [msdhcp_signature_lookup] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 28: filename (value: msdhcp_signatures.csv).

<......SNIP ...>

Invalid key in stanza [dns_recordclass_lookup] in C:\Program Files\splunkuniversalforwarder\etc\apps\Splunk_TA_windows\default\transforms.conf, line 1267: filename (value: dns_recordclass_lookup.csv).
Invalid key in stanza [geo_us_states] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 2: external_type (value: geo).
Invalid key in stanza [geo_us_states] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 3: filename (value: geo_us_states.kmz).
Invalid key in stanza [geo_countries] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 6: external_type (value: geo).
Invalid key in stanza [geo_countries] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 7: filename (value: geo_countries.kmz).
Invalid key in stanza [geo_attr_us_states] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 10: filename (value: geo_attr_us_states.csv).
Invalid key in stanza [geo_attr_countries] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 13: filename (value: geo_attr_countries.csv).
Invalid key in stanza [geo_hex] in C:\Program Files\splunkuniversalforwarder\etc\apps\search\default\transforms.conf, line 16: external_type (value: geo_hex).

Looks like there's a syntax error on every line in de default transforms.conf file. 

Upgraded from Splunk UF 7.3.3 to Splunk UF 7.3.9 - same problem. 

This is a default Splunk UF install. No other application is deployed to this UF. 

Labels (1)
0 Karma
1 Solution

ketilolav
Explorer

Hi, 

Transforms.conf is part of the TA, BUT transforms should be done on the indexer. The forwarder doesn’t know this, and does not have a transforms.conf.spec file because it is not anticipating having to do any of that work. That is where the errors come in. Modify the TA when putting it on the UF by adjusting (or removing) said files. In my case, I renamed the transforms.conf to transforms.conf.old. (2) ignore the messages, as it will work fine anyway.

Then I deployed the transforms.conf to my indexers. 

 

Hope this gives you some clarity about what's going on. 

 

Best, 

 

View solution in original post

jonxilinx
Path Finder

sorry , not an answer , but i  have the same problem with running windows8.1.2 or 8.0.0 on 7.3.X

It works on 8.1.X windows UF
It is also good on Unix 7.3.6 Search heads (no btool,errors at restart)

but lots of stanza errors are introduced , including in other apps if we deploy to windows UF

Note we have just decided to migrate from 5.0 to 7.0 for the windows TA until we can complete the 7.3.X UF upgrades

If anyone has a soln to it not working I would be glad to hear abut it

 

0 Karma

ketilolav
Explorer

Hi, 

Transforms.conf is part of the TA, BUT transforms should be done on the indexer. The forwarder doesn’t know this, and does not have a transforms.conf.spec file because it is not anticipating having to do any of that work. That is where the errors come in. Modify the TA when putting it on the UF by adjusting (or removing) said files. In my case, I renamed the transforms.conf to transforms.conf.old. (2) ignore the messages, as it will work fine anyway.

Then I deployed the transforms.conf to my indexers. 

 

Hope this gives you some clarity about what's going on. 

 

Best, 

 

Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...