I have a similar, but not the same inconsistency issue with inputs.conf on distributed setup.
I have udp listener on [udp://5514] and app_name = _server_app_APPNAME_ABC_CDE
The splunkd complains on inconsistency with line containing the app_name details.
I have addtotal listener for [udp://6006] - and same complaint.
Interestingly this is native application with just udp listening and syslog sourcetype.
Are you saying that you have an app_name key under the udp stanza in your inputs.conf file? LIke this?
[udp://6006] app_name = _server_app_APPNAME_ABC_CDE
If so, I don't see app_name key defined in the spec file for inputs.conf (see below). That's why it'd be throwing an error - it's a key that Splunk doesn't expect to be there and doesn't know what to do with.
If that's not the case, then could you share your inputs.conf and the exact error message from Splunk?
[udp://<remote server>:<port>] * Similar to TCP, except that it listens on a UDP port. * Only one stanza per port number is currently supported. * Configure Splunk to listen on a specific port. * If <remote server> is specified, the specified port will only accept data from that server. * If <remote server> is empty - [udp://<port>] - the port will accept data sent from any server. * remote server is not recommended. This feature has been superseded by the acceptFrom setting. * Will generate events with source set to udp:portnumber, for example: udp:514 * If sourcetype is unspecified, will generate events with sourcetype set to udp:portnumber . # Additional attributes: connection_host = [ip|dns|none] * "ip" sets the host to the IP address of the system sending the data. * "dns" sets the host to the reverse DNS entry for IP address of the system sending the data. * "none" leaves the host as specified in inputs.conf, typically the splunk system hostname. * Defaults to "ip". _rcvbuf = <integer> * Specifies the receive buffer for the UDP port (in bytes). * If the value is 0 or negative, it is ignored. * Note: If the default value is too large for an OS, Splunk will try to set the value to 1572864/2. If that value also fails, Splunk will retry with 1572864/(2*2). It will continue to retry by halving the value until it succeeds. * Defaults to 1,572,864. no_priority_stripping = [true|false] * Setting for receiving syslog data. * If this attribute is set to true, Splunk does NOT strip the <priority> syslog field from received events. * NOTE: Do NOT include this attribute if you want to strip <priority>. * Default is false. no_appending_timestamp = [true|false] * If this attribute is set to true, Splunk does NOT append a timestamp and host to received events. * NOTE: Do NOT include this attribute if you want to append timestamp and host to received events. * Default is false. queueSize = <integer>[KB|MB|GB] * Maximum size of the in-memory input queue. * Defaults to 500KB. persistentQueueSize = <integer>[KB|MB|GB|TB] * Maximum size of the persistent queue file. * Defaults to 0 (no persistent queue). * If set to some value other than 0, persistentQueueSize must be larger than the in-memory queue size (set by queueSize attribute in inputs.conf or maxSize settings in [queue] stanzas in server.conf). * Persistent queues can help prevent loss of transient data. For information on persistent queues and how the queueSize and persistentQueueSize settings interact, see the online documentation. listenOnIPv6 = <no | yes | only> * Toggle whether this port will listen on IPv4, IPv6, or both * If not present, the setting in the [general] stanza of server.conf will be used acceptFrom = <network_acl> ... * Lists a set of networks or addresses to accept data from. These rules are separated by commas or spaces * Each rule can be in the following forms: 1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3") 2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32") 3. A DNS name, possibly with a '*' used as a wildcard (examples: "myhost.example.com", "*.splunk.com") 4. A single '*' which matches anything * Entries can also be prefixed with '!' to cause the rule to reject the connection. Rules are applied in order, and the first one to match is used. For example, "!10.1/16, *" will allow connections from everywhere except the 10.1.*.* network. * Defaults to "*" (accept from anywhere) [udp:<port>] * This input stanza is same as [udp://<remote server>:<port>] but without any remote server restriction * Please see the documentation for [udp://<remote server>:<port>] to follow supported settings: connection_host = [ip|dns|none] _rcvbuf = <integer> no_priority_stripping = [true|false] no_appending_timestamp = [true|false] queueSize = <integer>[KB|MB|GB] persistentQueueSize = <integer>[KB|MB|GB|TB] listenOnIPv6 = <no | yes | only> acceptFrom = <network_acl> ...
Its distributed deployment but yes, the udp/6006 string is on inputs.conf and the appname is as shown.
The exact error message is the inconsistency error mentioned before.
I can not understand how this issue is visible as with another system - equal to this except the app_name - and it is working.
I am not sure WHICH files I should compare to check the consistency? These are on deployed_apps/../appname - directory.
Maybe I didn't explain it very well or I'm misunderstanding, but the i think problem is that splunk doesn't know anything about an "app_name" value for the conf file. That's exactly what it's telling you.
Why are you specifying app_name in there? What are you trying to accomplish? Because I don't think it does what you think it does.