Splunk Enterprise

Troubleshooting: Invalid Key Stanza alert_actions.conf

JNgoho
Engager

Hi, 
I'm encountering this error when i run btool check:

Invalid key in stanza [email] in /opt/splunk/etc/apps/search/local/alert_actions.conf, line 2: show_password (value: True).

and inside the alert_actions.conf:

[email]
show_password = True

Could i just delete or rename the file ? and what is this stanza for ?
Cause i can't see it in the documentation https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Alertactionsconf


Labels (2)
Tags (1)
0 Karma
1 Solution

smurf
Communicator

Hi,

if the key is not present in the spec for alert_actions.conf, you are safe to remove it.

 

View solution in original post

smurf
Communicator

Hi,

if the key is not present in the spec for alert_actions.conf, you are safe to remove it.

 

yeahnah
Communicator

This solution did not work for me

I found that deleting the alert_actions.conf file under $SPLUNK_HOME/etc/app/search/local did not work, as the next time a send email alert is sent, Splunk just recreates the file with the unspec'd email.show_password = True entry.

I also found that this alert_actions file is also causing the "Send email" envelope icon (Settings > Alert Actions)  to not render correctly in the UI.

I'm going to open a low level bug with Splunk about this, but in the meantime this is the workaround I've implemented: 

1.  Alert actions "Send email" icon

cp $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/img/mod_alert_icon_email.png $SPLUNK_HOME/etc/apps/search/appserver/static/

Note: our SHC is behind a load balancer so I also needed to increment the Bump version due to Splunk Web caching (http://<host>:<mport>/<locale_string>/_bump).   Clearing your browser cache may also work (https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/assetcaching/)


2. Invalid entry when btool check run (optional)
* For Linux (modify commands as needed for Windows)
a) cd $SPLUNK_HOME/etc/apps/search/
b) mkdir README
c) cat <<EOF >README/alert_actions.conf.spec
show_password = <boolean>
* workaround, as parameter not defined in default alert_actions.conf.spec file
* this entry simply stops btool check complaining of invalid entry

EOF
d) Validate: ~/bin/splunk btool check

Note: I reproduced this on Splunk Enterprise v8.0.5 (it may occur in earlier version too), but looks to be fixed in latest v8.2.6.  However, you may need to manually delete the $SPLUNK_HOME/etc/apps/search/local/alert_actions.conf file (or the show_password entry) if  upgrading Splunk to latest from an earlier version (and splunk _internal call /services/admin/alert_actions/_reload + bump Splunk web) that had the issue already.

0 Karma

cyrmue
Explorer

Hi yeahnah

Thanks for your analyses, we encounter the same problem still in 8.2.6 Did you open a support ticket? Which I could reference? 

0 Karma

yeahnah
Communicator

Hi @cyrmue 

No sorry, I thought it was fixed in v8.2.6 so never raised it with Splunk.

I just had a look at my pre-prod v8.2.6 env and can see the issue has reappeared again there.  At least I think I fixed it there but it's been a while now and I'd have to go back over what I did to reconfirm things.

Anyway, no Splunk support ticket was opened by me for this so please go ahead and raise it with them.  Please update here if you open one too.

0 Karma

cyrmue
Explorer

Hi

The problem is the python_upgrade_readiness_app App. If you upgrade it or disable it, the problem should disappear. But the buggy version is still shipped with the binary installation...

 

cyrmue
Explorer

In Splunk 9.0 the python_upgrade_readiness_app should be shipped in Version 4.0 (in 8.2.6 it was 1.0).

Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...