Installation

Why is Splunk reporting possible typos in configuration file stanzas after upgrading to 4.2?

rsimmons
Splunk Employee
Splunk Employee

Since I upgraded to 4.2, I am getting errors reported on stdout when Splunk is started from the command line :


Error recv:
Possible typo in stanza [HourlyCapacity_indexBulkCount-cs] in /export/home/rsimmons/searchUi/etc/apps/sfmapp/default/savedsearches.conf, line 4705: userdefined.mandm.loadbalance = 1
Possible typo in stanza [HourlyCapacity_indexBulkCount-eu] in /export/home/rsimmons/searchUi/etc/apps/sfmapp/default/savedsearches.conf, line 4719: userdefined.mandm.loadbalance = 1

Tags (2)
1 Solution

hexx
Splunk Employee
Splunk Employee

Splunk 4.2 checks the keys (only keys, not values!) in live configuration files by comparing them with the contents of the spec file for that configuration file.

For example, let's say that I create the following stanza in $SPLUNK_HOME/etc/system/local/inputs.conf :


[monitor:///var/log/kludgy.log]
sourcetype = kludgy
crcPepper = <SOURCE>

On splunkd startup, there will be a syntax check for the "crcPepper" configuration key performed against the keys listed for the [monitor://] stanza type in $SPLUNK_HOME/etc/system/README/inputs.conf.spec - http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf :

[monitor://<path>]
* This directs Splunk to watch all files in <path>. 
* <path> can be an entire directory or just a single file.
* You must specify the input type and then the path, so put three slashes in your path if you're starting 
at the root (to include the slash that goes before the root directory).

# Additional attributes:

host_regex = <regular expression>
* If specified, <regular expression> extracts host from the filename of each input file.

(...)

_blacklist = ...
* This setting is deprecated.  It is still honored, unless "blacklist" attribute also exists.
dedicatedFD = ...
* This setting has been removed.  It is no longer needed.

As you can imagine, the "crcPepper" key will not be found here which will cause Splunk to report the error on the standard output when splunkd is started from the command line :


Checking conf files for typos...
Possible typo in stanza [monitor:///var/log/kludgy.log] in /home/octavio/splunk/etc/system/local/inputs.conf, line 6: crcPepper  =  <SOURCE>

Note that this only a warning, Splunk does not take any action other than reporting this possible syntax error.

View solution in original post

hexx
Splunk Employee
Splunk Employee

Splunk 4.2 checks the keys (only keys, not values!) in live configuration files by comparing them with the contents of the spec file for that configuration file.

For example, let's say that I create the following stanza in $SPLUNK_HOME/etc/system/local/inputs.conf :


[monitor:///var/log/kludgy.log]
sourcetype = kludgy
crcPepper = <SOURCE>

On splunkd startup, there will be a syntax check for the "crcPepper" configuration key performed against the keys listed for the [monitor://] stanza type in $SPLUNK_HOME/etc/system/README/inputs.conf.spec - http://www.splunk.com/base/Documentation/latest/Admin/Inputsconf :

[monitor://<path>]
* This directs Splunk to watch all files in <path>. 
* <path> can be an entire directory or just a single file.
* You must specify the input type and then the path, so put three slashes in your path if you're starting 
at the root (to include the slash that goes before the root directory).

# Additional attributes:

host_regex = <regular expression>
* If specified, <regular expression> extracts host from the filename of each input file.

(...)

_blacklist = ...
* This setting is deprecated.  It is still honored, unless "blacklist" attribute also exists.
dedicatedFD = ...
* This setting has been removed.  It is no longer needed.

As you can imagine, the "crcPepper" key will not be found here which will cause Splunk to report the error on the standard output when splunkd is started from the command line :


Checking conf files for typos...
Possible typo in stanza [monitor:///var/log/kludgy.log] in /home/octavio/splunk/etc/system/local/inputs.conf, line 6: crcPepper  =  <SOURCE>

Note that this only a warning, Splunk does not take any action other than reporting this possible syntax error.

gkanapathy
Splunk Employee
Splunk Employee

Previous versions of Splunk did not check configuration files for possible errors. Version 4.2 does,and issues warnings during startup. Some applications that work may contain invalid parameters names that don't affect functionality, but trigger the warnings. (Extraneous or misspelled parameters in most Splunk config is simply ignored.) You can either ignore the warnings, or check and remedy them. Some apps that were delivered in older versions of Splunk may have contain spurious but harmless entries that now generate the warnings.

JSapienza
Contributor

I too received errors that there could be typos in stanza's. They went away when I updated the unix and windows apps to 4.2 .

0 Karma

Brian_Osburn
Builder

I think she's referring to these error messages during the upgrade:
Possible typo in stanza [class_id] in /opt/splunk/etc/apps/SplunkforBlueCoat/default/transforms.conf, line 30: SOURC_KEY = ClassID

I saw this in my dev environment (haven't done my production environment yet).

Brian

gkanapathy
Splunk Employee
Splunk Employee

Could you please put the question into the question body, and set the title to be something that would indicate the contents of this question body? Thanks.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...