Monitoring Splunk

Why am I getting Invalid key in stanza errors when running ./splunk btool check --debug ?

rajesh_pidikiti
New Member
Checking: /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 3: p
ort (value: 8088)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 4: e
nableSSL (value: 1)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 6: d
edicatedIoThreads (value: 2)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 7: m
axThreads  (value:  0)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 8: maxSockets  (value:  0)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 9: useDeploymentServer (value: 0)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 11: sslVersions (value: *,-ssl2)
        Did you mean 'source'?
        Did you mean 'sourcetype'?
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 12: allowSslCompression (value: true)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 13: allowSslRenegotiation (value: true)
Checking: /fs/untd-1/splunk/etc/apps/splunk_instrumentation/default/app.conf
                Invalid key in stanza [ui] in /opt/splunk/etc/apps/splunk_instrumentation/default/app.conf, line 12: show_in_nav  (value:  0)
Checking: /fs/untd-1/splunk/etc/apps/splunk_instrumentation/default/collections.conf
                Invalid key in stanza [instrumentation] in /opt/splunk/etc/apps/splunk_instrumentation/default/collections.conf, line 10: type  (value:  internal_cache)

What I have identified is after the Splunk server moved from CentOS 5 to CentOS 6, below are new folders that got created.

drwxr-xr-x  3   31855    31855 4096 Feb 28  2018 splunk_httpinput
drwxr-xr-x  5   31855    31855 4096 Feb 28  2018 splunk_archiver
drwxr-xr-x  4   31855    31855 4096 Feb 28  2018 appsbrowser
drwxr-xr-x  7   31855    31855 4096 Feb 28  2018 alert_webhook
drwxr-xr-x  7   31855    31855 4096 Feb 28  2018 alert_logevent
drwxr-xr-x  7   31855    31855 4096 Feb 28  2018 splunk_instrumentation
drwxr-xr-x 11   31855    31855 4096 Feb 28  2018 splunk_monitoring_console

I'm getting alerts from all the files in the above dirs. How can I fix them? I'm using Splunk 6.2.2 version

Thanks
Rajesh

Tags (2)
0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @rajesh_pidikiti

Did the answer below solve your problem? If so, please resolve this post by approving it!
If your problem is still not solved, keep us updated so that someone else can help ya.
Thanks for posting!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Those messages mean btool found an attribute ("key") in a .conf file that is not present in the corresponding .conf.spec file. The .conf.spec file identifies all of the valid keys allowed in the .conf. Use a text editor to review the files listed in the btool output and verify everything on the left side of an "=" is also present in the matching .spec file. Some of the keys you are using may be for newer versions of Splunk.

---
If this reply helps you, Karma would be appreciated.

aa70627
Communicator

Thanks @richgalloway . Your answer should be selected as "solution" cuz it definitely answered it for me and solve it for me. 

0 Karma

rajesh_pidikiti
New Member

Thanks. Yeah, I'm seeing the conf.spec doesn't have any data.

[logevent]

param.event = <string>
* Default value for event content sent to the receiver endpoint, which is eventually indexed

param.host = <string>
* Default field value of the host field of the newly indexed event

param.source = <string>
* Default field value of the source field of the newly indexed event

param.sourcetype = <string>
* Default field value of the sourcetype field of the newly indexed event

param.index = <string>
* Default field value for the destination index of the newly indexed event

<<<<

In my env, I don't require all these apps like alert_webhook, splunk_instrumentation, etc. How can disable or remove them?

Thanks
Rajesh

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If an attribute does not exist in the .spec file, then it should not be present in the matching .conf file. Edit the .conf file to remove the offending attribute then re-run btool to verify there are no other warnings.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...