I am running Splunk 5. When I restart Splunk, the Cisco Security Suite app is complaining about possible typos in my configuration files and now the app won't run.
I have never edited these files by hand, so I don't think I messed it up by hand. However, I did recently update from Cisco Security Suite 3.0.2 to 3.0.3 and I wonder if something bad happened during the upgrade.
Any ideas how I can recover from this error?
Update: I even tried uninstalling the App and I still get this error afterwards. After I uninstalled the app, I verified that /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite didn't exist, and then reinstalled the app. The same problem still occurs.
[root@host ~]# splunk btool check
Possible typo in stanza [Cisco Security Suite - Overview - Global Security Events Map] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 7: display.general.enablePreview = true
Possible typo in stanza [Cisco Security Suite - Overview - Global Security Events Map] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 8: display.general.timeRangePicker.show = true
Possible typo in stanza [Cisco Security Suite - Overview - Security Event Stats by Host] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 16: display.general.enablePreview = true
Possible typo in stanza [Cisco Security Suite - Overview - Security Event Stats by Host] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 17: display.general.type = statistics
Possible typo in stanza [Cisco Security Suite - Overview - Security Event Stats by Host] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 18: display.general.timeRangePicker.show = true
...
... SKIPED MANY LINES
...
Possible typo in stanza [Cisco Security Suite - Overview - Top Threats] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 83: display.visualizations.chartHeight = 600px
Possible typo in stanza [Cisco Security Suite - Overview - Top Threats] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 84: display.visualizations.charting.chart = pie
Possible typo in stanza [Cisco Security Suite - Overview - Top Threats] in /opt/splunk/etc/apps/Splunk_CiscoSecuritySuite/default/savedsearches.conf, line 85: display.visualizations.charting.legend.placement = right
[root@host ~]#
Given the quiet response here, I don't think I can solve this without a ton more investigation and I don't have much time to spend on this problem.
I updated from Splunk 5 to Splunk 6. The error has now gone away. This makes me think that the root cause of this error was actually outside of the CSS application.
Given the quiet response here, I don't think I can solve this without a ton more investigation and I don't have much time to spend on this problem.
I updated from Splunk 5 to Splunk 6. The error has now gone away. This makes me think that the root cause of this error was actually outside of the CSS application.
Very strange as those "possible typos" are all in savedsearches.conf and savedsearches.conf did not change from version 3.0.2 to 3.0.3. What version of Splunk are you running? Also, does anything look strange in savedsearches.conf (like extra characters)?
Version 3.x of the Cisco Security Suite was built for Splunk 6.x. Some parts will work on Splunk 5.x, but others will not.
I updated my question (see above). I was also able to work around this error by updating from Splunk 5 to Splunk 6.
savedsearches.conf
looks completely fine to me. No strange whitespace issues, etc.
I am running Splunk 5. I will update to Splunk 6, but I figure I should first fix critical failures like this one before upgrading.