All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on Builder: How to resolve "Invalid key in stanza" error for param._cam?

fsw2364
Path Finder
‎01-05-2017 04:29 PM

I'm down to my last error running Splunk Add-on Builder pre-certification test for my app: 

Error message: Invalid key in stanza [rapid_response_action] in /opt/splunk/etc/apps/TA-rapidresponse/default/alert_actions.conf, line 16: param._cam (value: { "category": ["Custom Alert Response","Composed Response App"], "task": ["respond","remediate"], "subject": ["system.resources"], "technology": [{"vendor": "Optensity", "product": "rapidresponse", "version": "1.0"}], "supports_adhoc": true }).

My alert_actions.conf is:

[rapid_response_action]
param.description = 
payload_format = json
param.summary = 
param.recoveryAppCoordinate = 
label = non-adaptivew rapid response action
icon_path = alert_rapid_response_action.png
is_custom = 1
param._cam = {\
    "category":        ["Custom Alert Response","Composed Response App"],\
    "task":            ["respond","remediate"],\
    "subject":         ["system.resources"],\
    "technology":      [{"vendor": "Optensity", "product": "rapidresponse", "version": "1.0"}],\
    "supports_adhoc":  true\
}

I ran 'bin/splunk cmd btool --app=TA-rapidresponse alert_actions list' , which didn't report any errors.

I'm running Splunk Enterprise 6.5.1 build f74036626f0c, with Splunk Add-on Builder App Version 2.0.0 App Build 15.

What am I missing? Please let me know.

Thank You!
Frank

Reply

ibmresilient
Path Finder
‎01-18-2018 01:40 PM

One year old already...

Well I think I figured it out. You need to modify
$SPLUNK_HOME/etc/apps/YOUR_APP/README/alert_actions.conf.spec

by adding this
param._cam=

Reply

rajibsaha2000
New Member
‎10-20-2017 07:23 AM

missing or malformed messages.conf stanza for LM LICENSE - how to resolve this issue

0 Karma
Reply

lfedak_splunk
Splunk Employee
Splunk Employee
‎10-20-2017 07:44 AM

Hey @rajibsaha2000, Since this post is from January you should create a new Answer post w/ your question. If this post is related you can include a link to reference it. Happy Splunking!

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎01-05-2017 06:55 PM

It's really weird. It's saying something is wrong with that key. Unfortunately it doesn't strike me as wrong or malformed. And I haven't used the add on builder either. I'll convert to comments and upvote to bring more attention to your cause though!

0 Karma
Reply

fsw2364
Path Finder
‎01-05-2017 06:27 PM

The examples provided at the path below both show "subject" as an array:

$ cat SPLUNK_HOME/etc/apps/Splunk_SA_CIM/README/alert_actions.conf.example

[my_action]

...

param._cam = {\
    "category":        ["Information Gathering"],\
    "task":            ["create"],\
    "subject":         ["network.capture"],\
    "technology":      [{"vendor": "Splunk", "product": "Splunk App for Stream"}],\
    "supports_adhoc":  true,\
    "drilldown_uri":   "my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"\
}


[my_action2]

...
-
param._cam = {\
    "category":        ["Information Gathering"],\
    "task":            ["scan"],\
    "subject":         ["process.reputation-service"],\
    "technology":      [{"vendor": "myvendor", "product": "myproduct", "version": "1.0"}],\
    "supports_adhoc":  true,\
    "drilldown_uri":   "../my_app/my_view?form.orig_sid=$sid$&form.orig_rid=$rid$"\
}

I did remove the backslashes and line breaks to make it all one line as shown below, and pre-validation still reported the same invalid key error. Is there something about the key param._cam that's invalid in this situation? 

[rapid_response_action]
param.description = 
payload_format = json
param.summary = 
param.recoveryAppCoordinate = 
label = non-adaptivew rapid response action
icon_path = alert_rapid_response_action.png
is_custom = 1
param._cam = {"category":["Custom Alert Response","Composed Response App"],"task":["respond","remediate"],"subject":["system.
resources"],"technology":[{"vendor": "Optensity", "product": "rapidresponse", "version": "1.0"}],"supports_adhoc":true}

Appreciate the help!

Frank

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎01-05-2017 04:41 PM 
 "subject":         ["system.resources"],\

That doesn't look like it should be in an array.., would remove the square braces.

Would also try to make it all one line by removing the line breaks and the backslashes.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...