Refine your search:

Why is Splunk reporting possible typos in configuration file stanzas after upgrading to 4.2?

-1
2

Since I upgraded to 4.2, I am getting errors reported on stdout when Splunk is started from the command line : 


Error recv:
Possible typo in stanza [HourlyCapacity_indexBulkCount-cs] in /export/home/rsimmons/searchUi/etc/apps/sfmapp/default/savedsearches.conf, line 4705: userdefined.mandm.loadbalance = 1
Possible typo in stanza [HourlyCapacity_indexBulkCount-eu] in /export/home/rsimmons/searchUi/etc/apps/sfmapp/default/savedsearches.conf, line 4719: userdefined.mandm.loadbalance = 1

asked 14 Mar '11, 22:08

rsimmons's gravatar image

rsimmons ♦
1.0k114
accept rate: 36%

edited 24 Mar '11, 01:40

hexx's gravatar image

hexx ♦
7.5k1940

1

Could you please put the question into the question body, and set the title to be something that would indicate the contents of this question body? Thanks.

(15 Mar '11, 15:01) gkanapathy ♦
1

I think she's referring to these error messages during the upgrade: Possible typo in stanza [class_id] in /opt/splunk/etc/apps/SplunkforBlueCoat/default/transforms.conf, line 30: SOURC_KEY = ClassID

I saw this in my dev environment (haven't done my production environment yet).

Brian

(15 Mar '11, 15:02) Brian Osburn
3 Answers:
oldestnewestmost voted
8

Splunk 4.2 checks the keys (only keys, not values!) in live configuration files by comparing them with the contents of the spec file for that configuration file.

For example, let's say that I create the following stanza in $SPLUNK_HOME/etc/system/local/inputs.conf : 


[monitor:///var/log/kludgy.log]
sourcetype = kludgy
crcPepper = <SOURCE>

On splunkd startup, there will be a syntax check for the "crcPepper" configuration key performed against the keys listed for the [monitor://] stanza type in $SPLUNK_HOME/etc/system/README/inputs.conf.spec - http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf :

[monitor://<path>]
* This directs Splunk to watch all files in <path>. 
* <path> can be an entire directory or just a single file.
* You must specify the input type and then the path, so put three slashes in your path if you're starting 
at the root (to include the slash that goes before the root directory).

# Additional attributes:

host_regex = <regular expression>
* If specified, <regular expression> extracts host from the filename of each input file.

(...)

_blacklist = ...
* This setting is deprecated.  It is still honored, unless "blacklist" attribute also exists.
dedicatedFD = ...
* This setting has been removed.  It is no longer needed.

As you can imagine, the "crcPepper" key will not be found here which will cause Splunk to report the error on the standard output when splunkd is started from the command line :


Checking conf files for typos...
Possible typo in stanza [monitor:///var/log/kludgy.log] in /home/octavio/splunk/etc/system/local/inputs.conf, line 6: crcPepper  =  <SOURCE>

Note that this only a warning, Splunk does not take any action other than reporting this possible syntax error.

link

answered 24 Mar '11, 01:34

hexx's gravatar image

hexx ♦
7.5k1940
accept rate: 51%

7

Previous versions of Splunk did not check configuration files for possible errors. Version 4.2 does,and issues warnings during startup. Some applications that work may contain invalid parameters names that don't affect functionality, but trigger the warnings. (Extraneous or misspelled parameters in most Splunk config is simply ignored.) You can either ignore the warnings, or check and remedy them. Some apps that were delivered in older versions of Splunk may have contain spurious but harmless entries that now generate the warnings.

link

answered 16 Mar '11, 19:07

gkanapathy's gravatar image

gkanapathy ♦
26.2k1622
accept rate: 42%

0

I too received errors that there could be typos in stanza's. They went away when I updated the unix and windows apps to 4.2 .

link

answered 15 Mar '11, 18:43

JSapienza's gravatar image

JSapienza
1394
accept rate: 17%

Post your answer
toggle preview

Copyright © 2005-2012 Splunk, Inc. All rights reserved.