Monitoring Splunk

Why am I getting Invalid key in stanza errors when running ./splunk btool check --debug ?

New Member
Checking: /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 3: p
ort (value: 8088)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 4: e
nableSSL (value: 1)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 6: d
edicatedIoThreads (value: 2)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 7: m
axThreads  (value:  0)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 8: maxSockets  (value:  0)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 9: useDeploymentServer (value: 0)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 11: sslVersions (value: *,-ssl2)
        Did you mean 'source'?
        Did you mean 'sourcetype'?
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 12: allowSslCompression (value: true)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 13: allowSslRenegotiation (value: true)
Checking: /fs/untd-1/splunk/etc/apps/splunk_instrumentation/default/app.conf
                Invalid key in stanza [ui] in /opt/splunk/etc/apps/splunk_instrumentation/default/app.conf, line 12: show_in_nav  (value:  0)
Checking: /fs/untd-1/splunk/etc/apps/splunk_instrumentation/default/collections.conf
                Invalid key in stanza [instrumentation] in /opt/splunk/etc/apps/splunk_instrumentation/default/collections.conf, line 10: type  (value:  internal_cache)

What I have identified is after the Splunk server moved from CentOS 5 to CentOS 6, below are new folders that got created.

drwxr-xr-x  3   31855    31855 4096 Feb 28  2018 splunk_httpinput
drwxr-xr-x  5   31855    31855 4096 Feb 28  2018 splunk_archiver
drwxr-xr-x  4   31855    31855 4096 Feb 28  2018 appsbrowser
drwxr-xr-x  7   31855    31855 4096 Feb 28  2018 alert_webhook
drwxr-xr-x  7   31855    31855 4096 Feb 28  2018 alert_logevent
drwxr-xr-x  7   31855    31855 4096 Feb 28  2018 splunk_instrumentation
drwxr-xr-x 11   31855    31855 4096 Feb 28  2018 splunk_monitoring_console

I'm getting alerts from all the files in the above dirs. How can I fix them? I'm using Splunk 6.2.2 version

Thanks
Rajesh

Tags (2)
0 Karma

Splunk Employee
Splunk Employee

hi @rajesh_pidikiti

Did the answer below solve your problem? If so, please resolve this post by approving it!
If your problem is still not solved, keep us updated so that someone else can help ya.
Thanks for posting!

0 Karma

SplunkTrust
SplunkTrust

Those messages mean btool found an attribute ("key") in a .conf file that is not present in the corresponding .conf.spec file. The .conf.spec file identifies all of the valid keys allowed in the .conf. Use a text editor to review the files listed in the btool output and verify everything on the left side of an "=" is also present in the matching .spec file. Some of the keys you are using may be for newer versions of Splunk.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

Thanks. Yeah, I'm seeing the conf.spec doesn't have any data.

[logevent]

param.event = <string>
* Default value for event content sent to the receiver endpoint, which is eventually indexed

param.host = <string>
* Default field value of the host field of the newly indexed event

param.source = <string>
* Default field value of the source field of the newly indexed event

param.sourcetype = <string>
* Default field value of the sourcetype field of the newly indexed event

param.index = <string>
* Default field value for the destination index of the newly indexed event

<<<<

In my env, I don't require all these apps like alertwebhook, splunkinstrumentation, etc. How can disable or remove them?

Thanks
Rajesh

0 Karma

SplunkTrust
SplunkTrust

If an attribute does not exist in the .spec file, then it should not be present in the matching .conf file. Edit the .conf file to remove the offending attribute then re-run btool to verify there are no other warnings.

---
If this reply helps you, an upvote would be appreciated.