Splunk Enterprise

Troubleshooting: Invalid Key Stanza alert_actions.conf

JNgoho
Engager

Hi, 
I'm encountering this error when i run btool check:

Invalid key in stanza [email] in /opt/splunk/etc/apps/search/local/alert_actions.conf, line 2: show_password (value: True).

and inside the alert_actions.conf:

[email]
show_password = True

Could i just delete or rename the file ? and what is this stanza for ?
Cause i can't see it in the documentation https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Alertactionsconf


Labels (2)
Tags (1)
0 Karma
1 Solution

smurf
Communicator

Hi,

if the key is not present in the spec for alert_actions.conf, you are safe to remove it.

 

View solution in original post

NK
Explorer

Splunk Windows 8.2.10 (upgraded from 8.2.6) - 

Who/What would put that in alert_actions.conf?

[email]
show_password = True  

Should I:

a. delete the alert_actions.conf file (nothing else is in the file) ?

b. Change it to False?

c. delete the file contents, but leave the empty file there?

0 Karma

smurf
Communicator

Hi,

if the key is not present in the spec for alert_actions.conf, you are safe to remove it.

 

yeahnah
Motivator

This solution did not work for me

I found that deleting the alert_actions.conf file under $SPLUNK_HOME/etc/app/search/local did not work, as the next time a send email alert is sent, Splunk just recreates the file with the unspec'd email.show_password = True entry.

I also found that this alert_actions file is also causing the "Send email" envelope icon (Settings > Alert Actions)  to not render correctly in the UI.

I'm going to open a low level bug with Splunk about this, but in the meantime this is the workaround I've implemented: 

1.  Alert actions "Send email" icon

cp $SPLUNK_HOME/share/splunk/search_mrsparkle/exposed/img/mod_alert_icon_email.png $SPLUNK_HOME/etc/apps/search/appserver/static/

Note: our SHC is behind a load balancer so I also needed to increment the Bump version due to Splunk Web caching (http://<host>:<mport>/<locale_string>/_bump).   Clearing your browser cache may also work (https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/assetcaching/)


2. Invalid entry when btool check run (optional)
* For Linux (modify commands as needed for Windows)
a) cd $SPLUNK_HOME/etc/apps/search/
b) mkdir README
c) cat <<EOF >README/alert_actions.conf.spec
show_password = <boolean>
* workaround, as parameter not defined in default alert_actions.conf.spec file
* this entry simply stops btool check complaining of invalid entry

EOF
d) Validate: ~/bin/splunk btool check

Note: I reproduced this on Splunk Enterprise v8.0.5 (it may occur in earlier version too), but looks to be fixed in latest v8.2.6.  However, you may need to manually delete the $SPLUNK_HOME/etc/apps/search/local/alert_actions.conf file (or the show_password entry) if  upgrading Splunk to latest from an earlier version (and splunk _internal call /services/admin/alert_actions/_reload + bump Splunk web) that had the issue already.

computermathguy
Path Finder

After creating the /opt/splunk/etc/apps/search/README directory, I ran "cat > alert_actions.conf.spec" within the README directory.  
 


0 Karma

cyrmue
Explorer

Hi yeahnah

Thanks for your analyses, we encounter the same problem still in 8.2.6 Did you open a support ticket? Which I could reference? 

0 Karma

yeahnah
Motivator

Hi @cyrmue 

No sorry, I thought it was fixed in v8.2.6 so never raised it with Splunk.

I just had a look at my pre-prod v8.2.6 env and can see the issue has reappeared again there.  At least I think I fixed it there but it's been a while now and I'd have to go back over what I did to reconfirm things.

Anyway, no Splunk support ticket was opened by me for this so please go ahead and raise it with them.  Please update here if you open one too.

0 Karma

cyrmue
Explorer

Hi

The problem is the python_upgrade_readiness_app App. If you upgrade it or disable it, the problem should disappear. But the buggy version is still shipped with the binary installation...

 

cyrmue
Explorer

In Splunk 9.0 the python_upgrade_readiness_app should be shipped in Version 4.0 (in 8.2.6 it was 1.0).

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...