Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Invalid Key in alert_actions.conf after upgrade to Splunk 9.0.0?

dasadmin
Explorer
‎06-17-2022 08:31 AM

Hello

Upgraded Splunk Enterprise to 9.0.0 today - went OK.

Upgraded Splunk Universal Forwarders on Windows Server 2019 to 9.0.0 - upgrade says all went OK.

I opened cmd and executed splunk restart

The SplunkForwarder restarts OK, but I get the following error:

 

 

Invalid key in stanza [webhook] in D:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf, line 229: enable_allowlist (value: false)

 

 

In the file alert_actions.conf on line 229:

 

 

[webhook]
enable_allowlist = false

 

 

 

Anyone know why I'm seeing this after the upgrade?

Thanks

Labels (2)
Reply

Skeer-Jamf
Path Finder
‎07-17-2023 09:45 AM

Getting this error when either: installing fresh 9.1.0.1 or upgrading 8.x to 9.1.  This is just sad.. I mean how could Splunk have NOT fixed this in over a year??

Obviously the syntax changed.. can't be that hard to figure out why.

Reply

computermathguy
Path Finder
‎10-02-2023 11:24 AM

Getting the same warning.  I'll submit a support ticket.

0 Karma
Reply

ivarbaba
New Member
‎03-12-2023 11:27 PM

I have the same problem. Did you get a fix?

0 Karma
Reply

tro
Path Finder
‎03-13-2023 12:21 AM

You you are having same issue, then it is fixed in version Splunk 9.0.4. Please do update 😉

0 Karma
Reply

chadmedeiros
Path Finder
‎04-26-2023 07:39 AM

this is not fixed in 9.0.4

Reply

sumedhjoglekar
Loves-to-Learn Lots
‎07-20-2022 04:53 PM

Were you able to find any solution to this issue ?

0 Karma
Reply

dasadmin
Explorer
‎07-21-2022 07:17 AM

hello

I opened a case with splunk and they said don't worry about the error unless it is causing an issue.

It has been forwarded to splunk engineering to look at further.

Thx

Reply

tro
Path Finder
‎11-21-2022 12:35 AM

I'm so disappointed by Splunk release process that they even don't run "splunk btool check" in their testing pipelines to catch this kind of errors 🙄.

Reply

mhanisch_kvd
Observer
‎01-02-2023 04:38 AM

Happy new year everyone!

I want to ask, if there is an update about this issue? We updated our Splunk Server and universal forwarder to the latest version 9.0.2 yet and ran into the same issue on some machines.

Splunk and the forwarder seems to operate as intended, but we get this errors in the log on some hosts:

 

Dec 12 15:14:26 somehostname-123 splunk[2268]: Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false).
Dec 12 15:14:26 somehostname-123 splunk[2268]: Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
0 Karma
Reply

tro
Path Finder
‎01-02-2023 05:50 AM

I got this answer via official Splunk support:

Ticket raised to our developers: SPL-229404.
 
In general fix in new app version was already implemented. But app is still not ready to be released due to some other things which have to be tested.
Unfortunately I don't have any specific ETA for now but I believe it should not take too long.
So I would suggest watch SPL-229404 in upcoming changelogs.
0 Karma
Reply

lbdatpsu
Engager
‎04-25-2023 12:57 PM

Fwiw, the problem is still there in UF 9.0.4.

Reply

chadmedeiros
Path Finder
‎04-26-2023 07:38 AM

Honestly. Nearly 1 year later and 2 version revisions and every fresh UF install done on every server throws this out-of-the-box warning. Not at all impressed

Reply

achavarria
Engager
‎06-22-2022 12:38 PM

Getting the same issue in my environment after upgrading my universal forwarders to 9.0.0

Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-22-2022 11:39 PM

If this has worked earlier, you should report that to splunk support.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-17-2022 12:14 PM

Hi

at lest I cannot found that parameter from conf file description. Are you sure that you haven’t gotten that warning earlier?

r. Ismo 

0 Karma
Reply

dasadmin
Explorer
‎06-17-2022 02:26 PM

Hello

I get the message across all the Windows clients when I restart the client:

 

Error when startingError when startingOutput of splunk btool check --debug (pt1)Output of splunk btool check --debug (pt1)Output of splunk btool check --debug (pt2)Output of splunk btool check --debug (pt2)

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-17-2022 02:45 PM
As you get it from etc/system/default directory and you haven't changed it, you should report this to Splunk via support portal.
0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top