Splunk Enterprise

Why am I getting errors in system default file configuration when upgrading a Universal Forwarder from 8.2.5 to 9.0.0.1?

BlueSocket
Communicator

Dear All,

I have a pretty bare Splunk Universal Forwarder that was installed at 8.2.5 and had no errors on restart, but when I upgraded it to 9.0.0.1, I started to get the following errors?

NOTE: These are all in the system/default files (so not my settings):

Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false).

Invalid key in stanza [provider:splunk] in /opt/splunkforwarder/etc/system/default/federated.conf, line 20: mode (value: standard).

Invalid key in stanza [general] in /opt/splunkforwarder/etc/system/default/federated.conf, line 23: needs_consent (value: true).

Labels (2)
Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

"Pretty sure"?  I can't find those settings in the 8.2.5 or 9.0.0 docs so I wonder what they're doing there.  None of them apply to Universal Forwarders so you might as well remove them.

---
If this reply helps you, Karma would be appreciated.
0 Karma

BlueSocket
Communicator

I am not sure how those settings got there, but the way that I got those errors was:

1) Install Splunk Universal Forwarder at version 8.2.5.

2) Upgrade Splunk Universal Forwarder to 9.0.0.1.

I just redid it and on start up of the Forwarder, I get these messages:

Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false).

Invalid key in stanza [provider:splunk] in /opt/splunkforwarder/etc/system/default/federated.conf, line 20: mode (value: standard).

Invalid key in stanza [general] in /opt/splunkforwarder/etc/system/default/federated.conf, line 23: needs_consent (value: true).

I will take out the weird configurations, but this is kind-of to help others, if they get the same results.

Tags (1)
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...