Solved: Why do I get "Invalid key in stanza..."

JarrettM · ‎01-19-2018

Deploying app to collect IIS logs. When restarting the forwarder get the following:
" Invalid key in stanza [monitor:E:\AirWatch\Logs\IIS\] in E:\SplunkUniversalForwarder\etc\apps\IIS\default\inputs.conf, line 7: whitelist (value: \.log$). Your indexes and inputs configurations are not internally consistent"
Runninf splunk btool gives no further info.
Here is the entire inputs.conf:

[monitor:e:\AirWatch\Logs\IIS
disabled=false
sourcetype=iis
whitelist=\.logs$

mayurr98 · ‎01-19-2018

Hey check the syntax of monitor stanza

[monitor://e:\AirWatch\Logs\IIS]
disabled = 0
sourcetype = iis
whitelist = \.logs$

You need to add your path after [monitor://<your_path>]
Also to monitor file with the .logextension, you should write \.log$
You can find this in
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Whitelistorblacklistspecificincomingdat...
Let me know if this helps!

View solution in original post

493669 · ‎01-19-2018

try this:

 [monitor://e:\AirWatch\Logs\IIS]
 disabled = 0
 sourcetype = iis
 whitelist = \.logs$

JarrettM · ‎01-19-2018

You got it! Sorry I can't mark your answer as accepted. Someone else beat you by 4 minutes!

Thanks!!

mayurr98 · ‎01-19-2018

Hey check the syntax of monitor stanza

[monitor://e:\AirWatch\Logs\IIS]
disabled = 0
sourcetype = iis
whitelist = \.logs$

You need to add your path after [monitor://<your_path>]
Also to monitor file with the .logextension, you should write \.log$
You can find this in
https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Whitelistorblacklistspecificincomingdat...
Let me know if this helps!

JarrettM · ‎01-19-2018

That did it. Pretty stupid on my part!

Thanks!!

Why do I get "Invalid key in stanza..."

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases