Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__1_splunk.domain.com

dees74
Explorer
‎02-06-2019 02:52 AM

I have splunk installed 3 month and use free license.
Version: 7.2.1

Some days ago i received an error
"Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__1_splunk.domain.com"

After restart it apears again.
Why I begin receiving error (i doesn't change any configs)?

Labels (3)
Tags (3)
Reply

NK
Explorer
‎08-15-2024 04:23 PM

8/2024: I get this message with Linux Splunk v9.3.0

It started appearing after I relocated $SPLUNK_DB and freed up the space under $SPLUNK_HOME/var/lib/splunk/

Update:

The message stopped after splunkd re-created all the 2-byte index .dat files under the old location  $SPLUNK_HOME/var/lib/splunk/

Maybe I should have used a symbolic link to relocate the index DB instead of defining a new DB location in splunk-launch.conf

0 Karma
Reply

snowman0
Loves-to-Learn
‎02-02-2022 07:30 AM

I know this is an old thread but for anyone that is having the same problem, this might help.
I had the same problem after upgrading to v8.2.x but after some tests I found the cause.

Splunk Enterprise 8.2.x has some new integrated apps which are not part of the version I was upgrading from (7.2.x). In particular "Python Upgrade Readiness App" which comes in the version 1.0.0 but has the option to Update to a newer available version.

This is what I found out:

- If I do not update the "Python Upgrade Readiness" from version 1.0.0, I do not get any error message. I can also safely disabled the app and no error message appears after.

- If I update "Python Upgrade Readiness" to the latest version (when this is written, latest version is 3.10), I get this error and even though I disable the App after upgrade. The error message still remains.

The only way I found to get rid of the error message after updating the App was to downgrade back to version 1.0.0.

To downgrade, simply replace the app folder "$SPLUNK_HOME/etc/apps/python_upgrade_readiness_app" with the 1.0.0 version (I got the old version from a fresh installed Splunk) and  then restart Splunk.
Voila, all errors gone!

This was my solution, it does not have to be the same for others but hopefully helps some.

0 Karma
Reply

csyvenky
Path Finder
‎07-28-2021 04:12 PM

I upgraded my laptop to 8.2.1 today and received this error.

To resolve, I opened C:\Splunk\etc\system\default\messages.conf in VS Code and it became apparent that several (about 10) single quotes were causing the misconfiguration. In places where a quote was missing I added it in places where there was only one, I double it up.

ie.

Error deleting temporary file %s', after copying to sinkhole.
became:
Error deleting temporary file >>'<<%s', after copying to sinkhole.
 
and
 
There aren't enough qualifying results (%u) for the specified number of clusters (%u).
became:
There aren>>'<<'t enough qualifying results (%u) for the specified number of clusters (%u).
 
Restarted Splunk and error appears to be gone.
0 Karma
Reply

csyvenky
Path Finder
‎07-29-2021 09:14 AM

Sorry, it appears the error has not gone away for me - after some time passes, the same error returns (even with the syntax color quote issues resolved).

0 Karma
Reply

cult_hero13
Loves-to-Learn Lots
‎06-18-2021 10:31 PM

I was running version 8.1.4 and upgraded to 8.20.  Before the upgrade I had no messages other than that there was a new version available.  After the upgrade I now get the message:

Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__889_server.domain.com

The "889" is newer.  It started out as "9".  I compared the referenced messages.conf file to one I had on a  test instance running version 8.1.2, specifically the referenced stanza, and they looked to be identical.  I see this thread has been open for quite a long time and hasn't been answered, and the problem seems to have affected older versions.  I guess I might have to ask some of the Splunk engineers in my professional capacity.

0 Karma
Reply

subdriven
New Member
‎06-25-2021 06:17 AM

I just updated as well and am also getting this message. Would be interested if you find a solution from engineering. 

0 Karma
Reply

vhharanpositka
Path Finder
‎04-08-2019 01:15 AM

I am Also getting this error in the same situation.
I cant use the append function, because the above error is appearing.

How can I solve this warning.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...