Getting Data In

On startup, Splunk reports issues with the default prefs.conf file (invalid keys)

tlabue
Path Finder

When I startup Splunk (v6.3.0 for Linux), I've notices warning message when Splunk is Checking conf files for problems.

It finds several issues with the default prefs.conf file, telling me several items have invalid keys.

  1. Not sure why the default file is coming up with errors. This has not been updated by us.
  2. Is prefs.conf used anymore? I thought this file was removed. It is not listed in the admin document as a conf file.
    I renamed the file and restarted, no warning messages, but then it complained it couldn't find default/prefs.conf.

What's the story with this behavior?

Thanks,
Tom

Tags (1)
0 Karma

tlabue
Path Finder

The Splunk v6.4.0 tar has no prefs.conf. Has this file been deprecated now?

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I recall at least one occurrence where the .spec file was not updated with 6.3, leading to startup warnings. Without knowing, which keys your installation complains about, it's hard to say whether you are experiencing the same issue. I would definitely try to upgrade to the latest 6.3.x version available on splunk.com.
And/Or, please update your question with the warnings you see.

0 Karma

tlabue
Path Finder

I listed the warnings above. It's not so easy for me to just upgrade to the new version. I have to get a bunch of approvals before I can do that. However, it seems I have seem this in the past few upgrades I have done (6.2.2, 6.2.4 at the very least).

0 Karma

Jeremiah
Motivator

There is still a default prefs.conf file in 6.3. Check the manifest file in your SPLUNK_HOME directory, it has a list of the files from the installer.

Is this a new installation of Splunk or an upgrade? If its an upgrade, check to see if your etc/system/default/prefs.conf file is read-only. It could be that when you upgraded, you were unable to overwrite the file, and now Splunk is complaining. An easy fix would be to adjust the permissions on the existing file, pull a copy of the new file from the tar.gz installer and copy it over the existing one.

0 Karma

tlabue
Path Finder

The manifest file I have for my 6.3.0 install still lists the default/prefs.conf. The file permissions are 440 instead of 444 listed in the manifest. Though all the files in the default directory have been at least touched by the upgrade. In the past if we've had permission issues, I see the errors immediately with the tarball deployment.

I pulled the file from the tar.gz installation and checked it against the installed file and the diff command reported no differences in the two files.

The warnings are about the following issues:
stanza [default]: line 23: clicksAppendToSearch (value: true)
stanza [default]: line 24: defaultTimeRange (value: startMonthsAgo=3)
stanza [default]: line 33: maxLines (value: 10)
stanza [default]: line 36: reportColumnList (value: [])
stanza [default]: line 37: chartLastPlotMode (value: column)
stanza [default]: line 49: dashboard_intro_getting_started (value: /static/html/getting_started.html)
stanza [default]: line 59: dashboard_customList_All_indexed_data_searches (value: .....)
stanza [default]: line 60: dashboard_customList_All_indexed_data_labels (value: Sources, Sourcetypes, Hosts)
stanza [default]: line 62: dashboard_customList_Saved_searches_searches (value: .....)
stanza [default]: line 63: dashboard_customList_Saved_searches_lables (value: )

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...