- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, can anybody help, please?
I'm using Splunk Universal Forwarder 9.0.4 (build de405f4a7979) and from 15.07.2023 I have no indexed data in Splunk. .After restart there is only 1 error:
Invalid key in stanza [webhook] in C:\Program Files\SplunkUniversalForwarder\etc\system\default\alert_actions.conf, line 229: enable_allowlist (value: false).
Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'
I tried this step:
1. removed
[webhook]
enable_allowlist = false
or
2. changed it into true
nothing helped. Any advice, please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem has been fixed by splunk admins. Unfortunately I don't know how. Problem appeared when they deleted old indexers from the cluster and the still have been configured on the FW side.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem has been fixed by splunk admins. Unfortunately I don't know how. Problem appeared when they deleted old indexers from the cluster and the still have been configured on the FW side.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I doubt that error is causing your data ingest issue, since "enable_allowlist" appears to be an invalid option for the alert_actions.conf file that came with the Splunk UF software. You can safely ignore that error.
It's also a known issue on Splunk UF v9.0.4: https://community.splunk.com/t5/Splunk-Enterprise/Invalid-Key-in-alert-actions-conf-after-upgrade-to...
