Solved: Does anyone know a fix for Splunk 9.x Invalid Stan...

morethanyell · ‎06-20-2022

Newly released Splunk 9 introduced an error or invalid stanza on `federated.conf`. Anybody knows how to fix this?

Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 20: mode (value: standard).
Invalid key in stanza [general] in /opt/splunk/etc/system/default/federated.conf, line 23: needs_consent (value: true).

mskrzynski · ‎07-18-2022

Hello,

I have the same error after upgrade from 8.2.7.

./splunk btool check --debug

Checking: /opt/splunk/etc/system/default/federated.conf

Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 20: mode (value: standard).

Invalid key in stanza [general] in /opt/splunk/etc/system/default/federated.conf, line 23: needs_consent (value: true).

I’ve made some research on fresh 9.0.0 install doesn’t have this file.

/opt/splunk/bin# ./splunk btool check --debug | grep fede

No spec file for: /opt/splunk/etc/system/default/federated.conf

So it looks like an after upgrade issue.

View solution in original post

miteshp250283 · ‎08-14-2022

I had the same problem and I could get rid of that error by renaming "federated.conf.spec" file from $SPLUNK_HOME/etc/system/README path.

Please upvote if this helpful.

Thanks, Mitesh.

mskrzynski · ‎07-18-2022

Hi again,

Fresh 9.0.0 install

find $SPLUNK_HOME/ -name federated.conf*

/opt/splunk/var/run/splunk/confsnapshot/baseline_default/system/default/federated.conf

/opt/splunk/etc/system/default/federated.conf

8.2.7 -> 9.0.0 install

find $SPLUNK_HOME/ -name federated.conf*

/opt/splunk/etc/system/README/federated.conf.spec

/opt/splunk/etc/system/README/federated.conf.example

/opt/splunk/etc/system/default/federated.conf

/opt/splunk/var/run/splunk/confsnapshot/baseline_default/system/default/federated.conf

root@srvslprosplunk1:/opt# mv /opt/splunk/etc/system/README/federated.conf.spec /home/splunk/

root@srvslprosplunk1:/opt# mv /opt/splunk/etc/system/README/federated.conf.example /home/splunk/

root@srvslprosplunk1:/opt# splunk/bin/splunk btool check –debug | grep fede

No spec file for: /opt/splunk/etc/system/default/federated.conf

/etc/inid.d/splunk start

…

Splunk> Finding your faults, just like mom.

Checking prerequisites...

Checking http port [8000]: open

Checking mgmt port [8089]: open

Checking appserver port [127.0.0.1:8065]: open

All preliminary checks passed.

…

Starting splunk server daemon (splunkd)...

If you get stuck, we're here to help.

Look for answers here: http://docs.splunk.com

The Splunk web interface is at https://xxx:8000

Works fine.

norbertt911 · ‎07-19-2022

Hi,

No offense, but he first rule of Splunk, that

/opt/splunk/etc/system/README/

/opt/splunk/etc/system/default

folders and content should be not modified. This is should be done by the Splunk support in a new release. I understand that the do-it-yourself way faster, but in the future, you can have unexpected behavior.

mskrzynski · ‎07-20-2022

Hi,

I understand and agree with You.

But fresh install doesn’t have federated in README…

Best regards M.

mskrzynski · ‎07-18-2022

Hello,

I have the same error after upgrade from 8.2.7.

./splunk btool check --debug

Checking: /opt/splunk/etc/system/default/federated.conf

Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 20: mode (value: standard).

Invalid key in stanza [general] in /opt/splunk/etc/system/default/federated.conf, line 23: needs_consent (value: true).

I’ve made some research on fresh 9.0.0 install doesn’t have this file.

/opt/splunk/bin# ./splunk btool check --debug | grep fede

No spec file for: /opt/splunk/etc/system/default/federated.conf

So it looks like an after upgrade issue.

joshiro · ‎06-27-2022

We found out that the current Splunk 9 Enterprise OnPrem tarfile updates the /etc/system/default/federated.conf file with new options/keys but they arent including the associated spec file in /etc/system/README/federated.conf.spec or the example file in /etc/system/README/federated.conf.example.

So it is using the previous version of both spec and example files if you are upgrading, or none if it is a clean install.

Also there is no information about the 9.0.0 federated.conf.spec in the conf files reference section of the online admin manual (there are entries for older versions https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Federatedconf), so we cant generate the fixed spec file.

We could add these missing options/keys into the spec file (assuming the spec is broken), or we could use the 8.2.6 federated.conf file that works (assuming the current one is broken).
Any ideas about this issue? or official responses from Splunk about this?

isoutamo · ‎06-27-2022

If you are needing those options then add those to spec file otherwise remove/comment those. Anyway you should create a support case to splunk, that they could fix it for future versions.

zrxcrasher · ‎06-27-2022

This is not something I configured intentionally. This is the direct result of upgrade from Splunk 8.2.4 to 9.0.0.

zrxcrasher · ‎06-21-2022

I am getting that exact same set of errors as the original author on a basic 8.2.4 deployment server.

isoutamo · ‎06-21-2022

Can you check e.g. with od that this file is not corrupted and contains some additional control character?

od -t c -t x1

I cannot test those parameters, but please check those from man page.

morethanyell · ‎06-21-2022

This is what I get.

isoutamo · ‎06-21-2022

Hi

quite interesting as I have both of those in place and didn't got any errors!

[soutamo@fer] ~>
(0) $ splunk btool check
[soutamo@fer] ~>
(0) $ splunk btool federated list --debug
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf [default]
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf [general]
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf needs_consent = true
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf [provider:splunk]
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf appContext = search
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf mode = standard
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf type = splunk
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf useFSHKnowledgeObjects = false
[soutamo@fer] ~>
(0) $

What you will gotten when you are running those two commands?

r. Ismo

norbertt911 · ‎06-24-2022

Hi,

I got the exact same error after upgrading 8.2.6.

splunk btool check --debug

...

Checking: /opt/splunk/etc/system/default/federated.conf
Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 20: mode (value: standard).
Invalid key in stanza [general] in /opt/splunk/etc/system/default/federated.conf, line 23: needs_consent (value: true).

...

splunk btool federated list --debug
/opt/splunk/etc/system/default/federated.conf [default]
/opt/splunk/etc/system/default/federated.conf [general]
/opt/splunk/etc/system/default/federated.conf needs_consent = true
/opt/splunk/etc/system/default/federated.conf [provider:splunk]
/opt/splunk/etc/system/default/federated.conf appContext = search
/opt/splunk/etc/system/default/federated.conf mode = standard
/opt/splunk/etc/system/default/federated.conf type = splunk
/opt/splunk/etc/system/default/federated.conf useFSHKnowledgeObjects = false

any idea?

norbertt911 · ‎06-24-2022

Hi,

Correct me if I'm wrong but "mode" and "needs_consent" value definitions are missing from .../system/README/federated.conf.example and federated.conf.spec.

I think that causing the issue.

Does anyone know a fix for Splunk 9.x Invalid Stanza in `federated.conf`?

configuration

troubleshooting

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024