I am using eStreamer app in Splunk, I am unable to get streamer logs displayed on Splunk Search Head. We are utilizing a heavy forwarder server to dump the streamer logs onto 'log' folder on this heavy forwarder server. The logs are regularly getting dumped in the 'log' folder, successful connection is established within the heavy forwarder and indexers and between heavy forwarder and the streamer management console which runs the service on port 8302.
A look in splunkd.log shows the following error:
10-24-2016 15:21:36.349 -0500 ERROR ExecProcessor - message from "python /oap/poap/a00/splunk/etc/apps/eStreamer/bin/client_check.py" Oct 24 15:21:36  Daemonizing process
But manually invoking the client_check.py script shows that client is running, Splunk has permission to read the script as well
-rwxr-xr-x 1 splunk splunk 8753 Oct 18 13:28 client_check.py splunk@eagnmnmbp275:/oap/poap/a00/splunk/etc/apps/eStreamer/bin> ./client_check.py event_sec=1477341054 status_id=1 status="eStreamer client is running."
Can someone assist me in troubleshooting this issue?
A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:
It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.
Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.
Im having the same issue... eStreamer Dashboard shows 'RUNING'. There is no eStreamer.log file created and see the following in splunkd.log:
11-07-2016 13:38:37.451 +0000 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/eStreamer/bin/client_check.py
11-07-2016 13:38:37.662 +0000 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/etc/apps/eStreamer/log.
11-07-2016 13:38:37.663 +0000 INFO TailingProcessor - Adding watch on path: /opt/splunk/etc/apps/eStreamer/log.
11-07-2016 13:43:42.110 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/eStreamer/bin/client_check.py" Nov 07 13:43:42  Daemonizing process