Checking: /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf
Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 3: p
ort (value: 8088)
Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 4: e
nableSSL (value: 1)
Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 6: d
edicatedIoThreads (value: 2)
Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 7: m
axThreads (value: 0)
Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 8: maxSockets (value: 0)
Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 9: useDeploymentServer (value: 0)
Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 11: sslVersions (value: *,-ssl2)
Did you mean 'source'?
Did you mean 'sourcetype'?
Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 12: allowSslCompression (value: true)
Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 13: allowSslRenegotiation (value: true)
Checking: /fs/untd-1/splunk/etc/apps/splunk_instrumentation/default/app.conf
Invalid key in stanza [ui] in /opt/splunk/etc/apps/splunk_instrumentation/default/app.conf, line 12: show_in_nav (value: 0)
Checking: /fs/untd-1/splunk/etc/apps/splunk_instrumentation/default/collections.conf
Invalid key in stanza [instrumentation] in /opt/splunk/etc/apps/splunk_instrumentation/default/collections.conf, line 10: type (value: internal_cache)
What I have identified is after the Splunk server moved from CentOS 5 to CentOS 6, below are new folders that got created.
drwxr-xr-x 3 31855 31855 4096 Feb 28 2018 splunk_httpinput
drwxr-xr-x 5 31855 31855 4096 Feb 28 2018 splunk_archiver
drwxr-xr-x 4 31855 31855 4096 Feb 28 2018 appsbrowser
drwxr-xr-x 7 31855 31855 4096 Feb 28 2018 alert_webhook
drwxr-xr-x 7 31855 31855 4096 Feb 28 2018 alert_logevent
drwxr-xr-x 7 31855 31855 4096 Feb 28 2018 splunk_instrumentation
drwxr-xr-x 11 31855 31855 4096 Feb 28 2018 splunk_monitoring_console
I'm getting alerts from all the files in the above dirs. How can I fix them? I'm using Splunk 6.2.2 version
Thanks
Rajesh
hi @rajesh_pidikiti
Did the answer below solve your problem? If so, please resolve this post by approving it!
If your problem is still not solved, keep us updated so that someone else can help ya.
Thanks for posting!
Those messages mean btool found an attribute ("key") in a .conf file that is not present in the corresponding .conf.spec file. The .conf.spec file identifies all of the valid keys allowed in the .conf. Use a text editor to review the files listed in the btool output and verify everything on the left side of an "=" is also present in the matching .spec file. Some of the keys you are using may be for newer versions of Splunk.
Thanks @richgalloway . Your answer should be selected as "solution" cuz it definitely answered it for me and solve it for me.
Thanks. Yeah, I'm seeing the conf.spec doesn't have any data.
[logevent]
param.event = <string>
* Default value for event content sent to the receiver endpoint, which is eventually indexed
param.host = <string>
* Default field value of the host field of the newly indexed event
param.source = <string>
* Default field value of the source field of the newly indexed event
param.sourcetype = <string>
* Default field value of the sourcetype field of the newly indexed event
param.index = <string>
* Default field value for the destination index of the newly indexed event
<<<<
In my env, I don't require all these apps like alert_webhook, splunk_instrumentation, etc. How can disable or remove them?
Thanks
Rajesh
If an attribute does not exist in the .spec file, then it should not be present in the matching .conf file. Edit the .conf file to remove the offending attribute then re-run btool to verify there are no other warnings.