Hi All,
Recently i download the "Splunk for F5 Access" app and installed into into my Splunk Box.
Whenever i restart the splunk process I see the following Configuration Warning
Checking filesystem compatibility... Done
Possible typo in stanza [firepass_log] in /home/splunk/etc/apps/firepass/default/props.conf, line 6: TRANSFORM = firepass-host
There might be typos in your conf files. For more information, run 'splunk btool check --debug'
Checking conf files for typos... Done
All preliminary checks passed.
Content of Props.conf:
[firepass_log]
KV_MODE = none
TIME_FORMAT = %b%d%H:%M:%S
TRANSFORM = firepass_host
REPORT-sid = firepass-host,firepass_term_host_prt,firepass_login_src,firepass_failed_valid,firepass_failed_invalid,firepass_sid_full,firepass_sid_full_condensed,firepass_sid,firepass_sid_kv,firepass_access_type,firepass_remote,firepass_intrusion,firepass_app_tunnel_remote_host,firepass_user_domain,firepass_logon_denied
Transforms.conf
[firepass_host]
DEST_KEY = MetaData:Host
REGEX = (\d+\.\d+.\d+.\d+)
FORMAT = host::$1
Can someone please help me here to find whats the issue is ?
As you see it highlights the part where we have the error in the syntax.
Props.conf requires the Transform-
[firepass_log]
KV_MODE = none
TIME_FORMAT = %b%d%H:%M:%S
TRANSFORMS-firepass = firepass_host
this should fix the error.
did you restart splunk? it shouldn't find the same error after changing, coz that wouldn't be there at all
Hi Linu1988,
I tried as you said also. Still have the same problem.