Missing or malformed messages.conf stanza for INST...

dees74 · ‎02-06-2019

I have splunk installed 3 month and use free license.
Version: 7.2.1

Some days ago i received an error
"Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__1_splunk.domain.com"

After restart it apears again.
Why I begin receiving error (i doesn't change any configs)?

snowman0 · ‎02-02-2022

I know this is an old thread but for anyone that is having the same problem, this might help.
I had the same problem after upgrading to v8.2.x but after some tests I found the cause.

Splunk Enterprise 8.2.x has some new integrated apps which are not part of the version I was upgrading from (7.2.x). In particular "Python Upgrade Readiness App" which comes in the version 1.0.0 but has the option to Update to a newer available version.

This is what I found out:

- If I do not update the "Python Upgrade Readiness" from version 1.0.0, I do not get any error message. I can also safely disabled the app and no error message appears after.

- If I update "Python Upgrade Readiness" to the latest version (when this is written, latest version is 3.10), I get this error and even though I disable the App after upgrade. The error message still remains.

The only way I found to get rid of the error message after updating the App was to downgrade back to version 1.0.0.

To downgrade, simply replace the app folder "$SPLUNK_HOME/etc/apps/python_upgrade_readiness_app" with the 1.0.0 version (I got the old version from a fresh installed Splunk) and then restart Splunk.
Voila, all errors gone!

This was my solution, it does not have to be the same for others but hopefully helps some.

csyvenky · ‎07-28-2021

I upgraded my laptop to 8.2.1 today and received this error.

To resolve, I opened C:\Splunk\etc\system\default\messages.conf in VS Code and it became apparent that several (about 10) single quotes were causing the misconfiguration. In places where a quote was missing I added it in places where there was only one, I double it up.

ie.

Error deleting temporary file %s', after copying to sinkhole.

became:

Error deleting temporary file >>'<<%s', after copying to sinkhole.

and

There aren't enough qualifying results (%u) for the specified number of clusters (%u).

became:

There aren>>'<<'t enough qualifying results (%u) for the specified number of clusters (%u).

Restarted Splunk and error appears to be gone.

csyvenky · ‎07-29-2021

Sorry, it appears the error has not gone away for me - after some time passes, the same error returns (even with the syntax color quote issues resolved).

cult_hero13 · ‎06-18-2021

I was running version 8.1.4 and upgraded to 8.20. Before the upgrade I had no messages other than that there was a new version available. After the upgrade I now get the message:

Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__889_server.domain.com

The "889" is newer. It started out as "9". I compared the referenced messages.conf file to one I had on a test instance running version 8.1.2, specifically the referenced stanza, and they looked to be identical. I see this thread has been open for quite a long time and hasn't been answered, and the problem seems to have affected older versions. I guess I might have to ask some of the Splunk engineers in my professional capacity.

subdriven · ‎06-25-2021

I just updated as well and am also getting this message. Would be interested if you find a solution from engineering.

vhharanpositka · ‎04-08-2019

I am Also getting this error in the same situation.
I cant use the append function, because the above error is appearing.

How can I solve this warning.

Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__1_splunk.domain.com

configuration

other

troubleshooting

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor