All Apps and Add-ons

Cisco eStreamer for Splunk: How to troubleshoot error in which eStreamer logs are not displayed in Splunk?



I am using eStreamer app in Splunk, I am unable to get streamer logs displayed on Splunk Search Head. We are utilizing a heavy forwarder server to dump the streamer logs onto 'log' folder on this heavy forwarder server. The logs are regularly getting dumped in the 'log' folder, successful connection is established within the heavy forwarder and indexers and between heavy forwarder and the streamer management console which runs the service on port 8302.

A look in splunkd.log shows the following error:

10-24-2016 15:21:36.349 -0500 ERROR ExecProcessor - message from "python /oap/poap/a00/splunk/etc/apps/eStreamer/bin/" Oct 24 15:21:36 [20956] Daemonizing process

But manually invoking the script shows that client is running, Splunk has permission to read the script as well

-rwxr-xr-x 1 splunk splunk     8753 Oct 18 13:28

splunk@eagnmnmbp275:/oap/poap/a00/splunk/etc/apps/eStreamer/bin> ./
event_sec=1477341054 status_id=1 status="eStreamer client is running."

Can someone assist me in troubleshooting this issue?




A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore

eNcore Dashboard

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma


Im having the same issue... eStreamer Dashboard shows 'RUNING'. There is no eStreamer.log file created and see the following in splunkd.log:

11-07-2016 13:38:37.451 +0000 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/eStreamer/bin/
11-07-2016 13:38:37.662 +0000 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/etc/apps/eStreamer/log.
11-07-2016 13:38:37.663 +0000 INFO TailingProcessor - Adding watch on path: /opt/splunk/etc/apps/eStreamer/log.
11-07-2016 13:43:42.110 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/eStreamer/bin/" Nov 07 13:43:42 [129229] Daemonizing process

0 Karma


@cstarford I am getting the same issue now. Can i know how did you resolved it.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...