Splunk Enterprise Security

invalid Stanza error in SplunkEnterpriseSecuritySuite

arun_kant_sharm
Path Finder

Why I am getting invalid Stanza error in SplunkEnterpriseSecuritySuite, its *.conf.spec file is present in README sub-folder ?
I downloaded this app from splunkbase.

    Checking conf files for problems...
            Invalid key in stanza [app_imports_update://update_es] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 8: app_regex          (value:  (appsbrowser)|(phantom)|(search)|([ST]A-.*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)).
            Invalid key in stanza [app_imports_update://update_es] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 9: app_exclude_regex  (value:  sideview_utils).
            Invalid key in stanza [app_imports_update://update_es] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 10: app_include_list   (value:  Splunk_DA-ESS_PCICompliance,DA-ESS-ContentUpdate).
            Invalid key in stanza [app_imports_update://update_es] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 11: apps_to_update     (value:  (SA-.*)|(Splunk_SA_.*)).
            Invalid key in stanza [app_imports_update://update_es_da] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 22: app_regex          (value:  (appsbrowser)|(phantom)|(search)|(SA-.*)|(Splunk_SA_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)|(SplunkEnterpriseSecuritySuite)).
            Invalid key in stanza [app_imports_update://update_es_da] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 23: app_exclude_regex  (value:  sideview_utils).
            Invalid key in stanza [app_imports_update://update_es_da] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 24: app_include_list   (value:  Splunk_DA-ESS_PCICompliance,DA-ESS-ContentUpdate).
            Invalid key in stanza [app_imports_update://update_es_da] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 25: apps_to_update     (value:  (DA-ESS-.*)|(Splunk_DA-ESS_.*)).
            Invalid key in stanza [app_imports_update://update_es_main] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 34: app_regex          (value:  (appsbrowser)|(phantom)|(splunk_instrumentation)|(search)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)).
            Invalid key in stanza [app_imports_update://update_es_main] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 35: app_exclude_regex  (value:  sideview_utils).
            Invalid key in stanza [app_imports_update://update_es_main] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 36: app_include_list   (value:  Splunk_DA-ESS_PCICompliance,DA-ESS-ContentUpdate).
            Invalid key in stanza [app_imports_update://update_es_main] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 37: apps_to_update     (value:  SplunkEnterpriseSecuritySuite).
            Invalid key in stanza [dm_accel_settings://Application_State] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 61: acceleration  (value:  false).
            Invalid key in stanza [dm_accel_settings://Authentication] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 65: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Certificates] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 69: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Change] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 73: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Change_Analysis] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 77: acceleration  (value:  false).
            Invalid key in stanza [dm_accel_settings://Domain_Analysis] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 81: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Email] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 85: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Endpoint] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 89: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Incident_Management] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 93: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Intrusion_Detection] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 97: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Malware] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 101: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Network_Resolution] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 105: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Network_Sessions] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 109: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Network_Traffic] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 113: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Performance] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 117: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Risk] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 121: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Splunk_Audit] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 125: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Ticket_Management] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 129: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Updates] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 133: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Vulnerabilities] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 137: acceleration  (value:  true).
            Invalid key in stanza [dm_accel_settings://Web] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 141: acceleration  (value:  true).
            Invalid key in stanza [configuration_check://confcheck_app_exports] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 147: default_severity  (value:  INFO).
            Invalid key in stanza [configuration_check://confcheck_app_exports] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 148: required_ui_severity  (value:  WARN).
            Invalid key in stanza [configuration_check://confcheck_app_exports] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 149: suppress  (value: ).
            Invalid key in stanza [configuration_check://confcheck_app_exports] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 150: debug  (value:  False).
            Invalid key in stanza [configuration_check://confcheck_es_deprecate_apps] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 154: default_severity  (value:  INFO).
            Invalid key in stanza [configuration_check://confcheck_es_deprecate_apps] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 155: required_ui_severity  (value:  WARN).
            Invalid key in stanza [configuration_check://confcheck_es_deprecate_apps] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 156: suppress  (value: ).
            Invalid key in stanza [configuration_check://confcheck_es_deprecate_apps] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 157: debug  (value:  False).
            Invalid key in stanza [configuration_check://confcheck_es_identity_correlation] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 161: default_severity  (value:  INFO).
            Invalid key in stanza [configuration_check://confcheck_es_identity_correlation] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 162: required_ui_severity  (value:  WARN).
            Invalid key in stanza [configuration_check://confcheck_es_identity_correlation] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 163: suppress  (value: ).
            Invalid key in stanza [configuration_check://confcheck_es_identity_correlation] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 164: debug  (value:  False).
            Invalid key in stanza [configuration_check://confcheck_es_correlationmigration] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 168: default_severity  (value:  INFO).
            Invalid key in stanza [configuration_check://confcheck_es_correlationmigration] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 169: required_ui_severity  (value:  WARN).
            Invalid key in stanza [configuration_check://confcheck_es_correlationmigration] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 170: suppress  (value: ).
            Invalid key in stanza [configuration_check://confcheck_es_correlationmigration] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 171: debug  (value:  False).
            Invalid key in stanza [configuration_check://confcheck_es_migrate_investigations] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 175: default_severity  (value:  INFO).
            Invalid key in stanza [configuration_check://confcheck_es_migrate_investigations] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 176: required_ui_severity  (value:  WARN).
            Invalid key in stanza [configuration_check://confcheck_es_migrate_investigations] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 177: suppress  (value: ).
            Invalid key in stanza [configuration_check://confcheck_es_migrate_investigations] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 178: debug  (value:  False).
            Invalid key in stanza [configuration_check://confcheck_es_migrate_reviewstatus_transitions] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 182: default_severity  (value:  INFO).
            Invalid key in stanza [configuration_check://confcheck_es_migrate_reviewstatus_transitions] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 183: required_ui_severity  (value:  WARN).
            Invalid key in stanza [configuration_check://confcheck_es_migrate_reviewstatus_transitions] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 184: suppress  (value:  ).
            Invalid key in stanza [configuration_check://confcheck_es_migrate_reviewstatus_transitions] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 185: debug  (value:  False).
            Invalid key in stanza [configuration_check://confcheck_es_sync_investigation_xrefs] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 189: default_severity  (value:  INFO).
            Invalid key in stanza [configuration_check://confcheck_es_sync_investigation_xrefs] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 190: required_ui_severity  (value:  WARN).
            Invalid key in stanza [configuration_check://confcheck_es_sync_investigation_xrefs] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 191: suppress  (value:  ).
            Invalid key in stanza [configuration_check://confcheck_es_sync_investigation_xrefs] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 192: debug  (value:  False).
            Invalid key in stanza [configuration_check://confcheck_es_app_version] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 196: default_severity  (value:  INFO).
            Invalid key in stanza [configuration_check://confcheck_es_app_version] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 197: required_ui_severity  (value:  WARN).
            Invalid key in stanza [configuration_check://confcheck_es_app_version] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 198: suppress  (value:  (Splunk_TA_|TA-)).
            Invalid key in stanza [configuration_check://confcheck_es_app_version] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 199: debug  (value:  False).
            Invalid key in stanza [configuration_check://confcheck_es_conf_cleanup] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 203: default_severity  (value:  INFO).
            Invalid key in stanza [configuration_check://confcheck_es_conf_cleanup] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 204: required_ui_severity  (value:  WARN).
            Invalid key in stanza [configuration_check://confcheck_es_conf_cleanup] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 205: suppress  (value: ).
            Invalid key in stanza [configuration_check://confcheck_es_conf_cleanup] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 206: debug  (value:  False).
            Invalid key in stanza [configuration_check://confcheck_es_event_seq_running_templates] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 210: default_severity  (value:  INFO).
            Invalid key in stanza [configuration_check://confcheck_es_event_seq_running_templates] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 211: required_ui_severity  (value:  WARN).
            Invalid key in stanza [configuration_check://confcheck_es_event_seq_running_templates] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 212: suppress  (value: ).
            Invalid key in stanza [configuration_check://confcheck_es_event_seq_running_templates] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/inputs.conf, line 213: debug  (value:  False).
            Invalid key in stanza [add_to_investigation] in /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/default/workflow_actions.conf, line 12: link.ir_override     (value:  #add_to_investigation).
            Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
                    Bad regex value: '(?<queries_in_queue>[\.\d]+) queries \in queue', of param: props.conf / [mysql:errorLog:mysqld_safe] / EXTRACT-queries_in_queue; why: unrecognized character follows \
            One or more regexes in your configuration are not valid. For details, please see btool.log or directly above.
    Done
    Checking default conf files for edits...
    Validating installed files against hashes from '/opt/splunk/splunk-8.0.1-6db836e2fb9e-linux-2.6-x86_64-manifest'
    All installed files intact.
    Done

All preliminary checks passed.

0 Karma

Dias
Explorer

Still no answer?)))

 

0 Karma

krisrmal
Engager

Did you find any solution for this? I also facing the similar issue.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!