Dear All,
I have a pretty bare Splunk Universal Forwarder that was installed at 8.2.5 and had no errors on restart, but when I upgraded it to 9.0.0.1, I started to get the following errors?
NOTE: These are all in the system/default files (so not my settings):
Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false).
Invalid key in stanza [provider:splunk] in /opt/splunkforwarder/etc/system/default/federated.conf, line 20: mode (value: standard).
Invalid key in stanza [general] in /opt/splunkforwarder/etc/system/default/federated.conf, line 23: needs_consent (value: true).
"Pretty sure"? I can't find those settings in the 8.2.5 or 9.0.0 docs so I wonder what they're doing there. None of them apply to Universal Forwarders so you might as well remove them.
I am not sure how those settings got there, but the way that I got those errors was:
1) Install Splunk Universal Forwarder at version 8.2.5.
2) Upgrade Splunk Universal Forwarder to 9.0.0.1.
I just redid it and on start up of the Forwarder, I get these messages:
Invalid key in stanza [webhook] in /opt/splunkforwarder/etc/system/default/alert_actions.conf, line 229: enable_allowlist (value: false).
Invalid key in stanza [provider:splunk] in /opt/splunkforwarder/etc/system/default/federated.conf, line 20: mode (value: standard).
Invalid key in stanza [general] in /opt/splunkforwarder/etc/system/default/federated.conf, line 23: needs_consent (value: true).
I will take out the weird configurations, but this is kind-of to help others, if they get the same results.