Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting an "Invalid key in stanza" errors for the Splunk Windows Universal agent configured with default configuration ?

Hemnaath
Motivator
‎08-20-2017 07:47 AM

Hi All, We are recently upgrade to the latest version of the Universal forwarder 6.6.1 as we moved Entire splunk instance from 6.2.1 to 6.6.1. We have configured a customized app for windows monitoring. But currently we are getting the below error message when the agents are restarted and we are not sure why this error message are popped out.

Error details :

Invalid key in stanza [WinEventLog:Application] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 10: ignoreOlderThan (value: 2d).
Invalid key in stanza [WinEventLog:Application] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 11: checkpointInterval (value: 5).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 16:ignoreOlderThan (value: 2d).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 17:current_only (value: 0).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 18:evt_resolve_ad_obj (value: 1).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 19:checkpointInterval (value: 5).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 24: start_from (value: oldest).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 25: current_only (value: 0).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 26: checkpointInterval (value: 5).

Configuration details in inputs.conf -- Partial configuration not full configuration.
[default]
evt_dc_name =
evt_dns_name =

OS Logs

[WinEventLog:Application]
disabled = 0
current_only = 0
ignoreOlderThan = 2d
checkpointInterval = 5
index = windows

[WinEventLog:Security]
disabled = 0
ignoreOlderThan = 2d
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows

[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows

Can anyone help me in fixing this issue.
thanks in advance

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

spayneort
Contributor
‎08-21-2017 07:39 PM

  1. Change your stanzas to have slashes: [WinEventLog://Application], etc.

  2. Remove the "ignoreOlderThan" lines. That is for monitor:// inputs, not WinEventLog://.

https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf

View solution in original post

Reply
Solved! Jump to solution
Solution

spayneort
Contributor
‎08-21-2017 07:39 PM

  1. Change your stanzas to have slashes: [WinEventLog://Application], etc.

  2. Remove the "ignoreOlderThan" lines. That is for monitor:// inputs, not WinEventLog://.

https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf

Reply
Solved! Jump to solution

Hemnaath
Motivator
‎08-22-2017 04:47 AM

Hi Spayneort, thanks for your effort on this issue, so do you mean I need to remove the "ignoreOlderThan" stanza from the inputs.conf file. But will that fix other invalid key issues like checkpointInterval, start_from,evt_resolve_ad_obj and current_only.

OS Logs
[WinEventLog://Application]
disabled = 0
current_only = 0

ignoreOlderThan = 2d

checkpointInterval = 5
index = windows

[WinEventLog://Security]
disabled = 0

ignoreOlderThan = 2d

current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows

Kindly let me know the modified stanza will fix the issue, as we have almost 2500 Windows UF agents is running with this stanza. So I need to be careful enough before using it. Please let me know whether this will fix the issue.

thanks in advance.

0 Karma
Reply
Solved! Jump to solution

Hemnaath
Motivator
‎08-23-2017 10:41 AM

Hi Spayneort, Can I update the above stanza, as you had mentioned in the comments.
Kindly let me know on this, need to update the same in prod environment.

thanks in advance.

0 Karma
Reply
Solved! Jump to solution

Hemnaath
Motivator
‎08-24-2017 11:14 AM

Hi Spayneort, after making the above changes in the inputs.conf the Invalid key in stanza got fixed.

OS Logs
[WinEventLog://Application]
disabled = 0
current_only = 0

ignoreOlderThan = 2d

checkpointInterval = 5
index = windows

[WinEventLog://Security]
disabled = 0

ignoreOlderThan = 2d

current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows

[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows

thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...