Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I getting the following "undocumented key" error from one of our heavy forwarders?

kwasielewski
Path Finder
‎10-23-2018 11:28 AM

I have two Heavy Forwarders in our environment running the same configuration and running Splunk v7.0.0 - Load balanced to receive syslog data. I noticed the following warning messages while restarting one of them. The other does not show any errors upon restart.

.
.
Undocumented key used in transforms.conf; stanza='pulse_connectsecure_meeting_started' setting='SOURCE_KEY' key='message'
Undocumented key used in transforms.conf; stanza='pulse_connectsecure_meeting_updated' setting='SOURCE_KEY' key='message'
Undocumented key used in transforms.conf; stanza='pulse_connectsecure_reason' setting='SOURCE_KEY' key='message'
Undocumented key used in transforms.conf; stanza='pulse_connectsecure_role' setting='SOURCE_KEY' key='roles'
.
.

There are several TAs or add-ons showing "Undocumented key" errors, all of which are sourced from Splunkbase and contain the original configurations. Not all transforms are affected but about 80% are. Again, I am not seeing this on our other heavy forwarder, nor are we seeing it on our search heads, which also run the same app/add-ons. A search of Splunk Answers did get me some information about using a [accepted_keys] transforms stanza to clean up any errors. But, I would like to get to the core issue before doing any sort of clean up work.

Does anyone know what would cause this particular instance of Splunk to report these keys as "undocumented"?

Thanks for your help,

Ken

0 Karma
Reply

ddrillic
Ultra Champion
‎10-23-2018 05:06 PM

Seems to be an old known bug (SPL-68932) based on Upgraded to Splunk 5.0.3, and noticing "Undocumented key used in transforms.conf" messages during st...

@splunkIT said -

This is a known bug (SPL-68932) in Splunk 5.0.3. The message is rather harmless, and your _SYSLOG_ROUTING should still works as usual.

You can either ignore the message during splunk startup, or by adding the following entries in your transforms.conf to make the message go away:

[accepted_keys]
is_valid=_SYSLOG_ROUTING

More details on this [accepted_keys] stanza here:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Transformsconf

Once you have made the above changes and restart splunk, the warning messages should go away.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...