Hi All, We are recently upgrade to the latest version of the Universal forwarder 6.6.1 as we moved Entire splunk instance from 6.2.1 to 6.6.1. We have configured a customized app for windows monitoring. But currently we are getting the below error message when the agents are restarted and we are not sure why this error message are popped out.
Error details :
Invalid key in stanza [WinEventLog:Application] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 10: ignoreOlderThan (value: 2d).
Invalid key in stanza [WinEventLog:Application] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 11: checkpointInterval (value: 5).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 16:ignoreOlderThan (value: 2d).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 17:current_only (value: 0).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 18:evt_resolve_ad_obj (value: 1).
Invalid key in stanza [WinEventLog:Security] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 19:checkpointInterval (value: 5).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 24: start_from (value: oldest).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 25: current_only (value: 0).
Invalid key in stanza [WinEventLog:System] in C:\Program Files\SplunkUniversalForwarder\etc\apps\test-app-win_svrs\default\inputs.conf, line 26: checkpointInterval (value: 5).
Configuration details in inputs.conf -- Partial configuration not full configuration.
[default]
evt_dc_name =
evt_dns_name =
[WinEventLog:Application]
disabled = 0
current_only = 0
ignoreOlderThan = 2d
checkpointInterval = 5
index = windows
[WinEventLog:Security]
disabled = 0
ignoreOlderThan = 2d
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows
[WinEventLog:System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows
Can anyone help me in fixing this issue.
thanks in advance
Change your stanzas to have slashes: [WinEventLog://Application], etc.
Remove the "ignoreOlderThan" lines. That is for monitor:// inputs, not WinEventLog://.
https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf
Change your stanzas to have slashes: [WinEventLog://Application], etc.
Remove the "ignoreOlderThan" lines. That is for monitor:// inputs, not WinEventLog://.
https://docs.splunk.com/Documentation/Splunk/6.6.1/Admin/Inputsconf
Hi Spayneort, thanks for your effort on this issue, so do you mean I need to remove the "ignoreOlderThan" stanza from the inputs.conf file. But will that fix other invalid key issues like checkpointInterval, start_from,evt_resolve_ad_obj and current_only.
OS Logs
[WinEventLog://Application]
disabled = 0
current_only = 0
checkpointInterval = 5
index = windows
[WinEventLog://Security]
disabled = 0
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows
Kindly let me know the modified stanza will fix the issue, as we have almost 2500 Windows UF agents is running with this stanza. So I need to be careful enough before using it. Please let me know whether this will fix the issue.
thanks in advance.
Hi Spayneort, Can I update the above stanza, as you had mentioned in the comments.
Kindly let me know on this, need to update the same in prod environment.
thanks in advance.
Hi Spayneort, after making the above changes in the inputs.conf the Invalid key in stanza got fixed.
OS Logs
[WinEventLog://Application]
disabled = 0
current_only = 0
checkpointInterval = 5
index = windows
[WinEventLog://Security]
disabled = 0
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5
index = windows
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 0
checkpointInterval = 5
index = windows
thanks.