Solved: Why do we get the Invalid key in stanza NO_BINARY_...

ddrillic · ‎03-09-2017

We have the following -

[monitor://C:\Windows\System32\winevt\Logs\ADFS 2.0%4Admin]
disabled = 0
sourcetype=winevt:admin
index=<index_name>
NO_BINARY_CHECK = true

[monitor://C:\Windows\System32\winevt\Logs\AD FS 2.0 Tracing%4Debug.etl]
disabled = 0
sourcetype=winevt:tracingdebug.etl
index=<index_name>
NO_BINARY_CHECK = true
~

We get the following error -

 Invalid key in stanza [monitor://C:\Windows\System32\winevt\Logs
\ADFS 2.0%4Admin] in C:\opt\splunk\splunkforwarder\etc\apps\xxxx_forwarder\local\inputs.conf, line 11: NO_BINARY_CHECK  (value:  true).

What can it be?

somesoni2 · ‎03-09-2017

Because NO_BINARY_CHECK is props.conf attribute and not inputs.conf where you defined it. See this
https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Propsconf#Binary_file_configuration

View solution in original post

somesoni2 · ‎03-09-2017

Because NO_BINARY_CHECK is props.conf attribute and not inputs.conf where you defined it. See this
https://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Propsconf#Binary_file_configuration

ddrillic · ‎03-09-2017

Oh oh - thank you!!!!

Why do we get the Invalid key in stanza NO_BINARY_CHECK?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life