All Apps and Add-ons

App for Stream deployed on Windows UF not capturing (license error?)

baxiani
Explorer

Hi all together,

I deployed App for Stream in my Environment. I read all questions here and googled a lot but still have no clue.
First I described what I have done step by step
- installed app at my deployment Server
- deployed Splunk_TA_stream (the Folder is automatically created in deployment-apps at deployment Server)
- adapt Setting in config files at deployment-apps and reload deploy-Server

Now I see the page on my Windows machine: localhost://8889 but there is "splunk (stoped)" displayed. Other data is sent to my indexers.

in my UF splunkd.log I spottet theese lines:

04-01-2015 12:11:26.233 +0200 INFO  DeployedApplication - Checksum mismatch 7671923074274294560 <> 16828329602381525207 for app=Splunk_TA_stream. Will reload from='192.168.178.23:8089/services/streams/deployment?name=default:Forwarder:Splunk_TA_stream'
04-01-2015 12:11:41.763 +0200 INFO  DeployedApplication - Downloaded url=192.168.178.23:8089/services/streams/deployment?name=default:Forwarder:Splunk_TA_stream to file='C:\Program Files\SplunkUniversalForwarder\var\run\Forwarder\Splunk_TA_stream-1427883061.bundle' sizeKB=177190
04-01-2015 12:11:45.176 +0200 WARN  DeployedApplication - Unable to remove dir='C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream': Der Vorgang wurde erfolgreich beendet.. Splunk will continue  trying to install application
04-01-2015 12:11:45.176 +0200 INFO  DeployedApplication - Installing app=Splunk_TA_stream to='C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream'
04-01-2015 12:11:54.280 +0200 INFO  DeployedApplication - Could not locate local.meta in Splunk_TA_stream. Installing local.meta to path=C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\metadata\local.meta
04-01-2015 12:23:31.057 +0200 INFO  SpecFiles - Found external scheme definition for stanza "streamfwd://" with 1 parameters: splunk_stream_app_Location
04-01-2015 12:23:37.749 +0200 INFO  ModularInputs - Endpoint argument settings for "splunk_stream_app_location":
04-01-2015 12:23:37.749 +0200 INFO  ModularInputs - Introspection setup completed for scheme "streamfwd".
04-01-2015 12:23:59.059 +0200 INFO  ExecProcessor - New scheduled exec process: "C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"
04-01-2015 12:23:59.059 +0200 INFO  ExecProcessor -     interval: run once
...
04-01-2015 12:24:06.328 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"" No license at startup, please load a valid licence.
04-01-2015 12:24:06.328 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"" licence error, could not read hardware identifier v4
04-01-2015 12:24:06.328 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"" licence error, could not read hardware identifier v5
04-01-2015 12:24:06.328 +0200 ERROR ExecProcessor - message from ""C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"" licence error, could not read hardware identifier v6

so it looks for me that the app was installed successful. but what about the license error?

Thank you very much for your help

0 Karma
1 Solution

baxiani
Explorer

Hi vshcherbakov,

thank you for your reply.
Due to my recent adaptions in streamfwdlog.conf I get now following msg in streamfwd.log

2015-04-02 09:04:34 ERROR [5328] (CaptureServer.cpp:1063) stream.CaptureServer - Unable to ping server (b16e37ea-c2e7-4f0a-81ba-0165e5d8bee6): Unable to establish connection to localhost: Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte

Inputs.conf
[streamfwd://streamfwd]

splunk_stream_app_location = http://localhost:8000/en-us/custom/splunk_app_stream/
disabled = 0

streamfwd.xml

<?xml version="1.0" encoding="UTF-8"?>
<CmConfig xmlns="http://purl.org/cloudmeter/config" version="6.2.0">
  <Port>8889</Port>
  <UIDirectory>../ui</UIDirectory>
  <DataDirectory>../data</DataDirectory>
  <LogConfig>streamfwdlog.conf</LogConfig>
</CmConfig>

View solution in original post

0 Karma

baxiani
Explorer

Hi,

thank you very much! It makes sense but it was not clear for me while reading documentation.
After rebooting the client, it worked.
Restarting splunk was not sufficient.

0 Karma

baxiani
Explorer

Hi vshcherbakov,

thank you for your reply.
Due to my recent adaptions in streamfwdlog.conf I get now following msg in streamfwd.log

2015-04-02 09:04:34 ERROR [5328] (CaptureServer.cpp:1063) stream.CaptureServer - Unable to ping server (b16e37ea-c2e7-4f0a-81ba-0165e5d8bee6): Unable to establish connection to localhost: Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte

Inputs.conf
[streamfwd://streamfwd]

splunk_stream_app_location = http://localhost:8000/en-us/custom/splunk_app_stream/
disabled = 0

streamfwd.xml

<?xml version="1.0" encoding="UTF-8"?>
<CmConfig xmlns="http://purl.org/cloudmeter/config" version="6.2.0">
  <Port>8889</Port>
  <UIDirectory>../ui</UIDirectory>
  <DataDirectory>../data</DataDirectory>
  <LogConfig>streamfwdlog.conf</LogConfig>
</CmConfig>
0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

You'll need to change splunk_stream_app_location in inputs.conf to match the splunkweb endpoint where you have the Stream app installed (I believe your deployment server). Leave "en-us" and everything after the same; just modify protocol, host and port as necessary.

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

Hello baxiani,

The license error messages are benign, it's going to be suppressed in the next maintenance release.

Could you publish the content of inputs.conf and streamfwd.xml from Splunk_TA_stream/local? Also, is there anything in var/log/splunk/streamfwd.log?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...