Getting Data In

Upgraded to Splunk 5.0.3, and noticing "Undocumented key used in transforms.conf" messages during startup

Splunk Employee
Splunk Employee

After upgrading to Splunk 5.0.3, upon startup, I noticed the following messages:

Undocumented key used in transforms.conf; stanza='syslogout' setting='DEST_KEY' key='_SYSLOG_ROUTING'
Please resolve these problems by correcting typos in key names, or by adding them to [accepted_keys] in transforms.conf if they are intended.
All preliminary checks passed.

I do have _SYSLOG_ROUTING setup in my transforms.conf as per splunk online doc for syslog out:

And this configuration has been working fine prior to splunk 5.0.3 upgrade.

Splunk Employee
Splunk Employee

This is a known bug (SPL-68932) in Splunk 5.0.3. The message is rather harmless, and your _SYSLOG_ROUTING should still works as usual.

You can either ignore the message during splunk startup, or by adding the following entries in your transforms.conf to make the message go away:


More details on this [accepted_keys] stanza here:

Once you have made the above changes and restart splunk, the warning messages should go away.

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!