Getting Data In

Why am I getting "Invalid key in stanza _server_app_APPNAME_ABC_CDE" with udp listener?

strangelaw
Explorer

I have a similar, but not the same inconsistency issue with inputs.conf on distributed setup.

I have udp listener on [udp://5514] and app_name = _server_app_APPNAME_ABC_CDE

The splunkd complains on inconsistency with line containing the app_name details.

I have addtotal listener for [udp://6006] - and same complaint.

Interestingly this is native application with just udp listening and syslog sourcetype.

Ideas?

0 Karma

maciep
Champion

Are you saying that you have an app_name key under the udp stanza in your inputs.conf file? LIke this?

[udp://6006]
app_name = _server_app_APPNAME_ABC_CDE

If so, I don't see app_name key defined in the spec file for inputs.conf (see below). That's why it'd be throwing an error - it's a key that Splunk doesn't expect to be there and doesn't know what to do with.

If that's not the case, then could you share your inputs.conf and the exact error message from Splunk?
http://docs.splunk.com/Documentation/Splunk/6.3.3/Admin/Inputsconf

[udp://<remote server>:<port>]
* Similar to TCP, except that it listens on a UDP port.
* Only one stanza per port number is currently supported.
* Configure Splunk to listen on a specific port.
* If <remote server> is specified, the specified port will only accept data
  from that server.
* If <remote server> is empty - [udp://<port>] - the port will accept data sent
  from any server.
  * remote server is not recommended.  This feature has been superseded by the
    acceptFrom setting.
* Will generate events with source set to udp:portnumber, for example: udp:514
* If sourcetype is unspecified, will generate events with sourcetype set 
  to udp:portnumber .

# Additional attributes:

connection_host = [ip|dns|none]
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
  sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk
  system hostname.
* Defaults to "ip".

_rcvbuf = <integer>
* Specifies the receive buffer for the UDP port (in bytes).
* If the value is 0 or negative, it is ignored.
* Note: If the default value is too large for an OS, Splunk will try to set the
  value to 1572864/2. If that value also fails, Splunk will retry with
  1572864/(2*2). It will continue to retry by halving the value until it
  succeeds.
* Defaults to 1,572,864.

no_priority_stripping = [true|false]
* Setting for receiving syslog data.
* If this attribute is set to true, Splunk does NOT strip the <priority> syslog
  field from received events.
* NOTE: Do NOT include this attribute if you want to strip <priority>.
* Default is false.

no_appending_timestamp = [true|false]
* If this attribute is set to true, Splunk does NOT append a timestamp and host
  to received events.
* NOTE: Do NOT include this attribute if you want to append timestamp and host
  to received events.
* Default is false.

queueSize = <integer>[KB|MB|GB]
* Maximum size of the in-memory input queue.
* Defaults to 500KB.

persistentQueueSize = <integer>[KB|MB|GB|TB]
* Maximum size of the persistent queue file.
* Defaults to 0 (no persistent queue).
* If set to some value other than 0, persistentQueueSize must be larger than
  the in-memory queue size (set by queueSize attribute in inputs.conf or
  maxSize settings in [queue] stanzas in server.conf).
* Persistent queues can help prevent loss of transient data. For information on
  persistent queues and how the queueSize and persistentQueueSize settings
  interact, see the online documentation.

listenOnIPv6 = <no | yes | only>
* Toggle whether this port will listen on IPv4, IPv6, or both
* If not present, the setting in the [general] stanza of server.conf will be
  used

acceptFrom = <network_acl> ...
* Lists a set of networks or addresses to accept data from.  These rules are
  separated by commas or spaces
* Each rule can be in the following forms:
    1. A single IPv4 or IPv6 address (examples: "10.1.2.3", "fe80::4a3")
    2. A CIDR block of addresses (examples: "10/8", "fe80:1234/32")
    3. A DNS name, possibly with a '*' used as a wildcard (examples:
       "myhost.example.com", "*.splunk.com")
    4. A single '*' which matches anything
* Entries can also be prefixed with '!' to cause the rule to reject the
  connection.  Rules are applied in order, and the first one to match is
  used.  For example, "!10.1/16, *" will allow connections from everywhere
  except the 10.1.*.* network.
* Defaults to "*" (accept from anywhere)

[udp:<port>]
* This input stanza is same as [udp://<remote server>:<port>] but without any
  remote server restriction
* Please see the documentation for [udp://<remote server>:<port>] to follow
  supported settings:

connection_host = [ip|dns|none]
_rcvbuf = <integer>
no_priority_stripping = [true|false]
no_appending_timestamp = [true|false]
queueSize = <integer>[KB|MB|GB]
persistentQueueSize = <integer>[KB|MB|GB|TB]
listenOnIPv6 = <no | yes | only>
acceptFrom = <network_acl> ...
0 Karma

strangelaw
Explorer

Its distributed deployment but yes, the udp/6006 string is on inputs.conf and the appname is as shown.

The exact error message is the inconsistency error mentioned before.

I can not understand how this issue is visible as with another system - equal to this except the app_name - and it is working.

I am not sure WHICH files I should compare to check the consistency? These are on deployed_apps/../appname - directory.

0 Karma

maciep
Champion

Maybe I didn't explain it very well or I'm misunderstanding, but the i think problem is that splunk doesn't know anything about an "app_name" value for the conf file. That's exactly what it's telling you.

Why are you specifying app_name in there? What are you trying to accomplish? Because I don't think it does what you think it does.

0 Karma

strangelaw
Explorer

This comes automatically from the system when I have deployed just the search app. Simply put: How do I get rid of that?

0 Karma

maciep
Champion

The simple answer is to remove that line from the inputs.conf file and see if it goes away.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...