topic Re: Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration? in Getting Data In

Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration?

dailv1808 — Fri, 15 Jul 2016 07:53:25 GMT

My problem like this https://answers.splunk.com/answers/209017/why-am-i-not-getting-data-from-the-splunk-app-for.html, but i can not find out solve in this post. Can anyone confirm exactly how the stream config is supposed to be setup on a universal forwarder and how the indexer is configured for each streamfwd source?
Splunk is version 6.4.2 with app for stream 6.5.1
The forwarder I'm testing with is version 6.4.2

Re: Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration?

diogofgm — Tue, 29 Sep 2020 10:15:36 GMT

are you running the forwarder plunked with root?
did you use the script to give permissions on the stream TA?
Go to $SPLUNK_HOME/etc/apps/Splunk_TA_stream.
Issue the command sudo ./set_permissions.sh

Re: Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration?

dailv1808 — Sat, 16 Jul 2016 02:34:47 GMT

i have installed fowarder on win7. So how to running the forwarder with root?

Re: Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration?

dailv1808 — Tue, 29 Sep 2020 10:15:01 GMT

more detail:
step 1: I installed SPlunk_App_For_Stream on Splunk server.
Step 2: Install Forwarder on Win7 machine, use administrator account
Step 3: copy Splunk_TA_stream folder from C:\Program Files\Splunk\etc\deployment-apps on Splunk server to C:\Program Files\SplunkUniversalForwarder\etc\apps folder on win7 machine.
Step 4: Splunk_TA_stream inputs.conf on the forwarder has been configured as follows:
*[streamfwd://streamfwd]
splunk_stream_app_location = http://INDEXER_FQDN:8000/en-us/custom/splunk_app_stream/
disabled = 0*
Where INDEXER_FQDN is the full domain name of the splunk server.

Splunk server just received application log, system log, CPU, Ram log.... from win7 machine. However none of the stream data from the forwarder is showing up in the Splunk Server.
i was search host="WIN-ORBA5MJH4BM" source=stream* but no have results found
WIN-ORBA5MJH4BM is the domain name of the win7 machine
Can you confirm exactly how the stream config?

Re: Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration?

sjaworski — Sat, 16 Jul 2016 15:25:31 GMT

On Windows, Start Task Manager, Select Processes and make sure the Universal Forwarder splunkd.exe and Stream streamfwd.exe is running as System. If it's running as system you should be good.

Make sure the Splunk Stream app is install on your search head, unless your indexer is also your search head. This is where you will configure Splunk Stream on what to collect. The stream app on the UF will receive it's configuration from the search head.

Run the btool command form the Splunk bin directory, splunk btool inputs list streamfwd

By default Splunk stream logs to the main index. Maybe search index=main It's possible you search is not searching the main index by default.

Re: Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration?

dailv1808 — Sat, 16 Jul 2016 15:47:19 GMT

Hi you.
Thank you for your reply.
On Processes tab, it just have splunkd.exe, not streamfwd.exe.
when i run splunk btool inputs list streamfwd command

So how to config to Splunk server get stream data from windows?

Re: Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration?

sjaworski — Sat, 16 Jul 2016 16:09:03 GMT

Have you restarted the UF since installing the Stream TA in /etc/apps?

Re: Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration?

dailv1808 — Tue, 29 Sep 2020 10:15:10 GMT

I both run streamfwd.exe in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stram\windows_x86_64\bin and Splunk.exe inC:\Program Files\SplunkUniversalForwarder\bin but no difference at all

Re: Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration?

sjaworski — Sat, 16 Jul 2016 16:39:44 GMT

You do no need to start the streamfwd.exe by itself. Splunk will automatically start it when UF restarts.

Execute C:\Program Files\SplunkUniversalForwarder\bin\ splunk restart

If that does not work, on your Splunk search head start reviewing the splunkd.log of the windows 7 host. Search index=_internal host=win-orba5mjh4bm stream start reviewing the log. It may give an indication of what is going on.

Or you can grep (find on Windows) find /I "stream" splunkd.loglocally on the win 7 host in c:/program files/splunkuniversalforwarder/var/log/splunk/

Also, check out the streamfwd.log.

Re: Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration?

dailv1808 — Sat, 16 Jul 2016 17:21:44 GMT

I spent 2 days for this problem and now it solved.
I restarted splunk with this command C:\Program Files\SplunkUniversalForwarder\bin\splunk restart
and then splunk_server received stream data from window. And now i wonder why it cann't get data when i double click on splunk.exe in C:\Program Files\SplunkUniversalForwarder\bin.
Thank you so muchhhhhhhhh!