Splunk Enterprise

Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__1_splunk.domain.com

dees74
Explorer

I have splunk installed 3 month and use free license.
Version: 7.2.1

Some days ago i received an error
"Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__1_splunk.domain.com"

After restart it apears again.
Why I begin receiving error (i doesn't change any configs)?

Labels (3)
Tags (3)

NK
Explorer

Happens in Splunk Enterprise v9.4.0 for Windows too.

0 Karma

NK
Explorer

8/2024: I get this message with Linux Splunk v9.3.0

It started appearing after I relocated $SPLUNK_DB and freed up the space under $SPLUNK_HOME/var/lib/splunk/

Update:

The message stopped after splunkd re-created all the 2-byte index .dat files under the old location  $SPLUNK_HOME/var/lib/splunk/

Maybe I should have used a symbolic link to relocate the index DB instead of defining a new DB location in splunk-launch.conf

0 Karma

snowman0
Loves-to-Learn

I know this is an old thread but for anyone that is having the same problem, this might help.
I had the same problem after upgrading to v8.2.x but after some tests I found the cause.

Splunk Enterprise 8.2.x has some new integrated apps which are not part of the version I was upgrading from (7.2.x). In particular "Python Upgrade Readiness App" which comes in the version 1.0.0 but has the option to Update to a newer available version.

This is what I found out:

- If I do not update the "Python Upgrade Readiness" from version 1.0.0, I do not get any error message. I can also safely disabled the app and no error message appears after.

- If I update "Python Upgrade Readiness" to the latest version (when this is written, latest version is 3.10), I get this error and even though I disable the App after upgrade. The error message still remains.

The only way I found to get rid of the error message after updating the App was to downgrade back to version 1.0.0.

To downgrade, simply replace the app folder "$SPLUNK_HOME/etc/apps/python_upgrade_readiness_app" with the 1.0.0 version (I got the old version from a fresh installed Splunk) and  then restart Splunk.
Voila, all errors gone!

This was my solution, it does not have to be the same for others but hopefully helps some.

0 Karma

csyvenky
Path Finder

I upgraded my laptop to 8.2.1 today and received this error.

To resolve, I opened C:\Splunk\etc\system\default\messages.conf in VS Code and it became apparent that several (about 10) single quotes were causing the misconfiguration. In places where a quote was missing I added it in places where there was only one, I double it up.

ie.

Error deleting temporary file %s', after copying to sinkhole.
became:
Error deleting temporary file >>'<<%s', after copying to sinkhole.
 
and
 
There aren't enough qualifying results (%u) for the specified number of clusters (%u).
became:
There aren>>'<<'t enough qualifying results (%u) for the specified number of clusters (%u).
 
Restarted Splunk and error appears to be gone.
0 Karma

csyvenky
Path Finder

Sorry, it appears the error has not gone away for me - after some time passes, the same error returns (even with the syntax color quote issues resolved).

0 Karma

cult_hero13
Loves-to-Learn Lots

I was running version 8.1.4 and upgraded to 8.20.  Before the upgrade I had no messages other than that there was a new version available.  After the upgrade I now get the message:

Missing or malformed messages.conf stanza for INSTALLED_FILES_INTEGRITY:FOUND_INTEGRITY_PROBLEMS__889_server.domain.com

The "889" is newer.  It started out as "9".  I compared the referenced messages.conf file to one I had on a  test instance running version 8.1.2, specifically the referenced stanza, and they looked to be identical.  I see this thread has been open for quite a long time and hasn't been answered, and the problem seems to have affected older versions.  I guess I might have to ask some of the Splunk engineers in my professional capacity.

0 Karma

subdriven
New Member

I just updated as well and am also getting this message. Would be interested if you find a solution from engineering. 

0 Karma

vhharanpositka
Path Finder

I am Also getting this error in the same situation.
I cant use the append function, because the above error is appearing.

How can I solve this warning.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...