Splunk Enterprise

Does anyone know a fix for Splunk 9.x Invalid Stanza in `federated.conf`?

morethanyell
Builder

Newly released Splunk 9 introduced an error or invalid stanza on `federated.conf`. Anybody knows how to fix this?

 

Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 20: mode (value: standard).
Invalid key in stanza [general] in /opt/splunk/etc/system/default/federated.conf, line 23: needs_consent (value: true).

 

 

 

 

 

 

Labels (2)
0 Karma
1 Solution

mskrzynski
Explorer

Hello,

I have the same error after upgrade from 8.2.7.

 

./splunk btool check --debug

Checking: /opt/splunk/etc/system/default/federated.conf

                Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 20: mode (value: standard).

                Invalid key in stanza [general] in /opt/splunk/etc/system/default/federated.conf, line 23: needs_consent (value: true).

 

I’ve made some research on fresh 9.0.0 install doesn’t have this file.

 

/opt/splunk/bin# ./splunk btool check --debug | grep fede

No spec file for: /opt/splunk/etc/system/default/federated.conf

 

So it looks like an after upgrade issue.

View solution in original post

miteshp250283
Path Finder

I had the same problem and I could get rid of that error by renaming "federated.conf.spec" file from $SPLUNK_HOME/etc/system/README path.

Please upvote if this helpful.

Thanks, Mitesh.

Tags (1)

mskrzynski
Explorer

Hi again,

Fresh 9.0.0 install

 

find $SPLUNK_HOME/ -name federated.conf*

/opt/splunk/var/run/splunk/confsnapshot/baseline_default/system/default/federated.conf

/opt/splunk/etc/system/default/federated.conf

 

8.2.7 -> 9.0.0 install

find $SPLUNK_HOME/ -name federated.conf*

/opt/splunk/etc/system/README/federated.conf.spec

/opt/splunk/etc/system/README/federated.conf.example

/opt/splunk/etc/system/default/federated.conf

/opt/splunk/var/run/splunk/confsnapshot/baseline_default/system/default/federated.conf

 

 

root@srvslprosplunk1:/opt# mv /opt/splunk/etc/system/README/federated.conf.spec /home/splunk/

root@srvslprosplunk1:/opt# mv /opt/splunk/etc/system/README/federated.conf.example /home/splunk/

root@srvslprosplunk1:/opt# splunk/bin/splunk btool check –debug | grep fede

 

No spec file for: /opt/splunk/etc/system/default/federated.conf

 

/etc/inid.d/splunk start

Splunk> Finding your faults, just like mom.

 

Checking prerequisites...

        Checking http port [8000]: open

        Checking mgmt port [8089]: open

        Checking appserver port [127.0.0.1:8065]: open

All preliminary checks passed.

Starting splunk server daemon (splunkd)...

If you get stuck, we're here to help.

Look for answers here: http://docs.splunk.com

 

The Splunk web interface is at https://xxx:8000

 

Works fine.

0 Karma

norbertt911
Communicator

Hi,

 

No offense, but he first rule of Splunk, that 

/opt/splunk/etc/system/README/

/opt/splunk/etc/system/default

folders and content should be not modified. This is should be done by the Splunk support in a new release.  I understand that the do-it-yourself way faster,  but in the future, you can have unexpected behavior.

 

0 Karma

mskrzynski
Explorer

Hi,

I understand and agree with You.

But fresh install doesn’t have federated in README…

 

Best regards M.

0 Karma

mskrzynski
Explorer

Hello,

I have the same error after upgrade from 8.2.7.

 

./splunk btool check --debug

Checking: /opt/splunk/etc/system/default/federated.conf

                Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 20: mode (value: standard).

                Invalid key in stanza [general] in /opt/splunk/etc/system/default/federated.conf, line 23: needs_consent (value: true).

 

I’ve made some research on fresh 9.0.0 install doesn’t have this file.

 

/opt/splunk/bin# ./splunk btool check --debug | grep fede

No spec file for: /opt/splunk/etc/system/default/federated.conf

 

So it looks like an after upgrade issue.

joshiro
Communicator

We found out that the current Splunk 9 Enterprise OnPrem tarfile updates the /etc/system/default/federated.conf file with new options/keys but they arent including the associated spec file in /etc/system/README/federated.conf.spec or the example file in /etc/system/README/federated.conf.example.

So it is using the previous version of both spec and example files if you are upgrading, or none if it is a clean install.

Also there is no information about the 9.0.0 federated.conf.spec in the conf files reference section of the online admin manual (there are entries for older versions https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Federatedconf), so we cant generate the fixed spec file.

We could add these missing options/keys into the spec file (assuming the spec is broken), or we could use the 8.2.6 federated.conf file that works (assuming the current one is broken).
Any ideas about this issue? or official responses from Splunk about this?

Tags (1)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

If you are needing those options then add those to spec file otherwise remove/comment those. Anyway you should create a support case to splunk, that they could fix it for future versions.

0 Karma

zrxcrasher
Loves-to-Learn Lots

This is not something I configured intentionally.  This is the direct result of upgrade from Splunk 8.2.4 to 9.0.0.

0 Karma

zrxcrasher
Loves-to-Learn Lots

I am getting that exact same set of errors as the original author on a basic 8.2.4 deployment server.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Can you check e.g. with od that this file is not corrupted and contains some additional control character?

od -t c -t x1 

I cannot  test those parameters, but please check those from man page.

0 Karma

morethanyell
Builder

btool.png

This is what I get.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

quite interesting as I have both of those in place and didn't got any errors!

[soutamo@fer] ~>
(0) $ splunk btool check
[soutamo@fer] ~>
(0) $ splunk btool federated list --debug
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf [default]
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf [general]
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf needs_consent = true
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf [provider:splunk]
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf appContext = search
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf mode = standard
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf type = splunk
/opt/splunk/9.0.0/splunk/etc/system/default/federated.conf useFSHKnowledgeObjects = false
[soutamo@fer] ~>
(0) $

What you will gotten when you are running those two commands?

r. Ismo 

0 Karma

norbertt911
Communicator

Hi,

I got the exact same error after upgrading 8.2.6.  

splunk btool check --debug

...

Checking: /opt/splunk/etc/system/default/federated.conf
Invalid key in stanza [provider:splunk] in /opt/splunk/etc/system/default/federated.conf, line 20: mode (value: standard).
Invalid key in stanza [general] in /opt/splunk/etc/system/default/federated.conf, line 23: needs_consent (value: true).

...

splunk btool federated list --debug
/opt/splunk/etc/system/default/federated.conf [default]
/opt/splunk/etc/system/default/federated.conf [general]
/opt/splunk/etc/system/default/federated.conf needs_consent = true
/opt/splunk/etc/system/default/federated.conf [provider:splunk]
/opt/splunk/etc/system/default/federated.conf appContext = search
/opt/splunk/etc/system/default/federated.conf mode = standard
/opt/splunk/etc/system/default/federated.conf type = splunk
/opt/splunk/etc/system/default/federated.conf useFSHKnowledgeObjects = false

any idea?

0 Karma

norbertt911
Communicator

Hi,

Correct me if I'm wrong but "mode" and "needs_consent" value definitions are missing from .../system/README/federated.conf.example and federated.conf.spec.

I think that causing the issue. 

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...