I just installed the Splunk Add-on for Bro IDS on my indexer cluster master, and attempted to push the bundle. The attempt is unsuccessful do to the following errors:
No spec file for: /opt/splunk/etc/master-apps/Splunk_TA_bro/default/eventgen.conf; Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 3: recursive (value: False);
Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 5: store_dir (value: $SPLUNK_HOME/var/spool/splunk);
Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 7: bro_bin (value: /opt/bro/bin/bro);
Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 8: bro_opts (value: -C);
Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 9: bro_script (value: None);
Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 10: bro_seeds (value: None);
Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 11: bro_merge (value: False);
Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 14: content_maxsize (value: 1024);
Invalid key in stanza [pcap_monitor] in /opt/splunk/etc/master-apps/Splunk_TA_bro/default/inputs.conf, line 17: run_maxtime (value: 1800)
What would be the best way to rectify these errors?
Thank you.
... View more