I have splunk installed 3 month and use free license.
Some days ago i received an error
"Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__1_splunk.domain.com"
After restart it apears again.
Why I begin receiving error (i doesn't change any configs)?
I know this is an old thread but for anyone that is having the same problem, this might help.
I had the same problem after upgrading to v8.2.x but after some tests I found the cause.
Splunk Enterprise 8.2.x has some new integrated apps which are not part of the version I was upgrading from (7.2.x). In particular "Python Upgrade Readiness App" which comes in the version 1.0.0 but has the option to Update to a newer available version.
This is what I found out:
- If I do not update the "Python Upgrade Readiness" from version 1.0.0, I do not get any error message. I can also safely disabled the app and no error message appears after.
- If I update "Python Upgrade Readiness" to the latest version (when this is written, latest version is 3.10), I get this error and even though I disable the App after upgrade. The error message still remains.
The only way I found to get rid of the error message after updating the App was to downgrade back to version 1.0.0.
To downgrade, simply replace the app folder "$SPLUNK_HOME/etc/apps/python_upgrade_readiness_app" with the 1.0.0 version (I got the old version from a fresh installed Splunk) and then restart Splunk.
Voila, all errors gone!
This was my solution, it does not have to be the same for others but hopefully helps some.
I upgraded my laptop to 8.2.1 today and received this error.
To resolve, I opened C:\Splunk\etc\system\default\messages.conf in VS Code and it became apparent that several (about 10) single quotes were causing the misconfiguration. In places where a quote was missing I added it in places where there was only one, I double it up.
I was running version 8.1.4 and upgraded to 8.20. Before the upgrade I had no messages other than that there was a new version available. After the upgrade I now get the message:
Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__889_server.domain.com
The "889" is newer. It started out as "9". I compared the referenced messages.conf file to one I had on a test instance running version 8.1.2, specifically the referenced stanza, and they looked to be identical. I see this thread has been open for quite a long time and hasn't been answered, and the problem seems to have affected older versions. I guess I might have to ask some of the Splunk engineers in my professional capacity.