Upgraded to Splunk 5.0.3, and noticing "Undocument...

bmignosa_splunk · ‎06-10-2013

After upgrading to Splunk 5.0.3, upon startup, I noticed the following messages:

Undocumented key used in transforms.conf; stanza='syslogout' setting='DEST_KEY' key='_SYSLOG_ROUTING'
Please resolve these problems by correcting typos in key names, or by adding them to [accepted_keys] in transforms.conf if they are intended.
All preliminary checks passed.

I do have _SYSLOG_ROUTING setup in my transforms.conf as per splunk online doc for syslog out:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Deploy/Forwarddatatothird-partysystemsd

And this configuration has been working fine prior to splunk 5.0.3 upgrade.

splunkIT · ‎06-10-2013

This is a known bug (SPL-68932) in Splunk 5.0.3. The message is rather harmless, and your _SYSLOG_ROUTING should still works as usual.

You can either ignore the message during splunk startup, or by adding the following entries in your transforms.conf to make the message go away:

[accepted_keys]
is_valid=_SYSLOG_ROUTING

More details on this [accepted_keys] stanza here:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Admin/Transformsconf

Once you have made the above changes and restart splunk, the warning messages should go away.

Upgraded to Splunk 5.0.3, and noticing "Undocumented key used in transforms.conf" messages during startup

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!