All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cisco Security Suite won't run because of "Possible typo in stanza [Cisco Security Suite ..."

stefanlasiewski
Contributor
‎06-16-2014 11:21 AM

I am running Splunk 5. When I restart Splunk, the Cisco Security Suite app is complaining about possible typos in my configuration files and now the app won't run.

I have never edited these files by hand, so I don't think I messed it up by hand. However, I did recently update from Cisco Security Suite 3.0.2 to 3.0.3 and I wonder if something bad happened during the upgrade.

Any ideas how I can recover from this error?

Update: I even tried uninstalling the App and I still get this error afterwards. After I uninstalled the app, I verified that /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite didn't exist, and then reinstalled the app. The same problem still occurs.

[root@host ~]# splunk btool check
                Possible typo in stanza [Cisco Security Suite - Overview - Global Security Events Map] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 7: display.general.enablePreview  =  true
                Possible typo in stanza [Cisco Security Suite - Overview - Global Security Events Map] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 8: display.general.timeRangePicker.show   =  true
                Possible typo in stanza [Cisco Security Suite - Overview - Security Event Stats by Host] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 16: display.general.enablePreview  =  true
                Possible typo in stanza [Cisco Security Suite - Overview - Security Event Stats by Host] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 17: display.general.type  =  statistics
                Possible typo in stanza [Cisco Security Suite - Overview - Security Event Stats by Host] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 18: display.general.timeRangePicker.show =  true
                ...
                ... SKIPED MANY LINES
                ...
                Possible typo in stanza [Cisco Security Suite - Overview - Top Threats] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 83: display.visualizations.chartHeight  =  600px
                Possible typo in stanza [Cisco Security Suite - Overview - Top Threats] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 84: display.visualizations.charting.chart =  pie
                Possible typo in stanza [Cisco Security Suite - Overview - Top Threats] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 85: display.visualizations.charting.legend.placement =  right
[root@host ~]#
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stefanlasiewski
Contributor
‎06-16-2014 02:15 PM

Given the quiet response here, I don't think I can solve this without a ton more investigation and I don't have much time to spend on this problem.

I updated from Splunk 5 to Splunk 6. The error has now gone away. This makes me think that the root cause of this error was actually outside of the CSS application.

View solution in original post

Reply
Solved! Jump to solution
Solution

stefanlasiewski
Contributor
‎06-16-2014 02:15 PM

Given the quiet response here, I don't think I can solve this without a ton more investigation and I don't have much time to spend on this problem.

I updated from Splunk 5 to Splunk 6. The error has now gone away. This makes me think that the root cause of this error was actually outside of the CSS application.

Reply
Solved! Jump to solution

jconger
Splunk Employee
Splunk Employee
‎06-16-2014 11:40 AM

Very strange as those "possible typos" are all in savedsearches.conf and savedsearches.conf did not change from version 3.0.2 to 3.0.3. What version of Splunk are you running? Also, does anything look strange in savedsearches.conf (like extra characters)?

0 Karma
Reply
Solved! Jump to solution

jconger
Splunk Employee
Splunk Employee
‎06-16-2014 02:25 PM

Version 3.x of the Cisco Security Suite was built for Splunk 6.x. Some parts will work on Splunk 5.x, but others will not.

0 Karma
Reply
Solved! Jump to solution

stefanlasiewski
Contributor
‎06-16-2014 02:16 PM

I updated my question (see above). I was also able to work around this error by updating from Splunk 5 to Splunk 6.

0 Karma
Reply
Solved! Jump to solution

stefanlasiewski
Contributor
‎06-16-2014 11:51 AM

savedsearches.conf looks completely fine to me. No strange whitespace issues, etc.

0 Karma
Reply
Solved! Jump to solution

stefanlasiewski
Contributor
‎06-16-2014 11:50 AM

I am running Splunk 5. I will update to Splunk 6, but I figure I should first fix critical failures like this one before upgrading.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...