Monitoring Splunk

Why am I getting Invalid key in stanza errors when running ./splunk btool check --debug ?

rajesh_pidikiti
New Member
Checking: /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 3: p
ort (value: 8088)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 4: e
nableSSL (value: 1)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 6: d
edicatedIoThreads (value: 2)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 7: m
axThreads  (value:  0)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 8: maxSockets  (value:  0)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 9: useDeploymentServer (value: 0)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 11: sslVersions (value: *,-ssl2)
        Did you mean 'source'?
        Did you mean 'sourcetype'?
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 12: allowSslCompression (value: true)
                Invalid key in stanza [http] in /opt/splunk/etc/apps/splunk_httpinput/default/inputs.conf, line 13: allowSslRenegotiation (value: true)
Checking: /fs/untd-1/splunk/etc/apps/splunk_instrumentation/default/app.conf
                Invalid key in stanza [ui] in /opt/splunk/etc/apps/splunk_instrumentation/default/app.conf, line 12: show_in_nav  (value:  0)
Checking: /fs/untd-1/splunk/etc/apps/splunk_instrumentation/default/collections.conf
                Invalid key in stanza [instrumentation] in /opt/splunk/etc/apps/splunk_instrumentation/default/collections.conf, line 10: type  (value:  internal_cache)

What I have identified is after the Splunk server moved from CentOS 5 to CentOS 6, below are new folders that got created.

drwxr-xr-x  3   31855    31855 4096 Feb 28  2018 splunk_httpinput
drwxr-xr-x  5   31855    31855 4096 Feb 28  2018 splunk_archiver
drwxr-xr-x  4   31855    31855 4096 Feb 28  2018 appsbrowser
drwxr-xr-x  7   31855    31855 4096 Feb 28  2018 alert_webhook
drwxr-xr-x  7   31855    31855 4096 Feb 28  2018 alert_logevent
drwxr-xr-x  7   31855    31855 4096 Feb 28  2018 splunk_instrumentation
drwxr-xr-x 11   31855    31855 4096 Feb 28  2018 splunk_monitoring_console

I'm getting alerts from all the files in the above dirs. How can I fix them? I'm using Splunk 6.2.2 version

Thanks
Rajesh

Tags (2)
0 Karma

mstjohn_splunk
Splunk Employee
Splunk Employee

hi @rajesh_pidikiti

Did the answer below solve your problem? If so, please resolve this post by approving it!
If your problem is still not solved, keep us updated so that someone else can help ya.
Thanks for posting!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Those messages mean btool found an attribute ("key") in a .conf file that is not present in the corresponding .conf.spec file. The .conf.spec file identifies all of the valid keys allowed in the .conf. Use a text editor to review the files listed in the btool output and verify everything on the left side of an "=" is also present in the matching .spec file. Some of the keys you are using may be for newer versions of Splunk.

---
If this reply helps you, Karma would be appreciated.

aa70627
Communicator

Thanks @richgalloway . Your answer should be selected as "solution" cuz it definitely answered it for me and solve it for me. 

0 Karma

rajesh_pidikiti
New Member

Thanks. Yeah, I'm seeing the conf.spec doesn't have any data.

[logevent]

param.event = <string>
* Default value for event content sent to the receiver endpoint, which is eventually indexed

param.host = <string>
* Default field value of the host field of the newly indexed event

param.source = <string>
* Default field value of the source field of the newly indexed event

param.sourcetype = <string>
* Default field value of the sourcetype field of the newly indexed event

param.index = <string>
* Default field value for the destination index of the newly indexed event

<<<<

In my env, I don't require all these apps like alert_webhook, splunk_instrumentation, etc. How can disable or remove them?

Thanks
Rajesh

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If an attribute does not exist in the .spec file, then it should not be present in the matching .conf file. Edit the .conf file to remove the offending attribute then re-run btool to verify there are no other warnings.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...