Hi all together,
I deployed App for Stream in my Environment. I read all questions here and googled a lot but still have no clue.
First I described what I have done step by step
- installed app at my deployment Server
- deployed Splunk_TA_stream (the Folder is automatically created in deployment-apps at deployment Server)
- adapt Setting in config files at deployment-apps and reload deploy-Server
Now I see the page on my Windows machine: localhost://8889 but there is "splunk (stoped)" displayed. Other data is sent to my indexers.
in my UF splunkd.log I spottet theese lines:
04-01-2015 12:11:26.233 +0200 INFO DeployedApplication - Checksum mismatch 7671923074274294560 <> 16828329602381525207 for app=Splunk_TA_stream. Will reload from='192.168.178.23:8089/services/streams/deployment?name=default:Forwarder:Splunk_TA_stream'
04-01-2015 12:11:41.763 +0200 INFO DeployedApplication - Downloaded url=192.168.178.23:8089/services/streams/deployment?name=default:Forwarder:Splunk_TA_stream to file='C:\Program Files\SplunkUniversalForwarder\var\run\Forwarder\Splunk_TA_stream-1427883061.bundle' sizeKB=177190
04-01-2015 12:11:45.176 +0200 WARN DeployedApplication - Unable to remove dir='C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream': Der Vorgang wurde erfolgreich beendet.. Splunk will continue trying to install application
04-01-2015 12:11:45.176 +0200 INFO DeployedApplication - Installing app=Splunk_TA_stream to='C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream'
04-01-2015 12:11:54.280 +0200 INFO DeployedApplication - Could not locate local.meta in Splunk_TA_stream. Installing local.meta to path=C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\metadata\local.meta
04-01-2015 12:23:31.057 +0200 INFO SpecFiles - Found external scheme definition for stanza "streamfwd://" with 1 parameters: splunk_stream_app_Location
04-01-2015 12:23:37.749 +0200 INFO ModularInputs - Endpoint argument settings for "splunk_stream_app_location":
04-01-2015 12:23:37.749 +0200 INFO ModularInputs - Introspection setup completed for scheme "streamfwd".
04-01-2015 12:23:59.059 +0200 INFO ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"
04-01-2015 12:23:59.059 +0200 INFO ExecProcessor - interval: run once
...
04-01-2015 12:24:06.328 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"" No license at startup, please load a valid licence.
04-01-2015 12:24:06.328 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"" licence error, could not read hardware identifier v4
04-01-2015 12:24:06.328 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"" licence error, could not read hardware identifier v5
04-01-2015 12:24:06.328 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"" licence error, could not read hardware identifier v6
so it looks for me that the app was installed successful. but what about the license error?
Thank you very much for your help
Hi vshcherbakov,
thank you for your reply.
Due to my recent adaptions in streamfwdlog.conf I get now following msg in streamfwd.log
2015-04-02 09:04:34 ERROR [5328] (CaptureServer.cpp:1063) stream.CaptureServer - Unable to ping server (b16e37ea-c2e7-4f0a-81ba-0165e5d8bee6): Unable to establish connection to localhost: Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte
Inputs.conf
[streamfwd://streamfwd]
splunk_stream_app_location = http://localhost:8000/en-us/custom/splunk_app_stream/
disabled = 0
streamfwd.xml
<?xml version="1.0" encoding="UTF-8"?>
<CmConfig xmlns="http://purl.org/cloudmeter/config" version="6.2.0">
<Port>8889</Port>
<UIDirectory>../ui</UIDirectory>
<DataDirectory>../data</DataDirectory>
<LogConfig>streamfwdlog.conf</LogConfig>
</CmConfig>
Hi,
thank you very much! It makes sense but it was not clear for me while reading documentation.
After rebooting the client, it worked.
Restarting splunk was not sufficient.
Hi vshcherbakov,
thank you for your reply.
Due to my recent adaptions in streamfwdlog.conf I get now following msg in streamfwd.log
2015-04-02 09:04:34 ERROR [5328] (CaptureServer.cpp:1063) stream.CaptureServer - Unable to ping server (b16e37ea-c2e7-4f0a-81ba-0165e5d8bee6): Unable to establish connection to localhost: Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte
Inputs.conf
[streamfwd://streamfwd]
splunk_stream_app_location = http://localhost:8000/en-us/custom/splunk_app_stream/
disabled = 0
streamfwd.xml
<?xml version="1.0" encoding="UTF-8"?>
<CmConfig xmlns="http://purl.org/cloudmeter/config" version="6.2.0">
<Port>8889</Port>
<UIDirectory>../ui</UIDirectory>
<DataDirectory>../data</DataDirectory>
<LogConfig>streamfwdlog.conf</LogConfig>
</CmConfig>
You'll need to change splunk_stream_app_location in inputs.conf to match the splunkweb endpoint where you have the Stream app installed (I believe your deployment server). Leave "en-us" and everything after the same; just modify protocol, host and port as necessary.
Hello baxiani,
The license error messages are benign, it's going to be suppressed in the next maintenance release.
Could you publish the content of inputs.conf and streamfwd.xml from Splunk_TA_stream/local? Also, is there anything in var/log/splunk/streamfwd.log?