All Apps and Add-ons

Cisco eStreamer for Splunk: How to troubleshoot error in which eStreamer logs are not displayed in Splunk?

mohammed7860
Explorer

Hi

I am using eStreamer app in Splunk, I am unable to get streamer logs displayed on Splunk Search Head. We are utilizing a heavy forwarder server to dump the streamer logs onto 'log' folder on this heavy forwarder server. The logs are regularly getting dumped in the 'log' folder, successful connection is established within the heavy forwarder and indexers and between heavy forwarder and the streamer management console which runs the service on port 8302.

A look in splunkd.log shows the following error:

10-24-2016 15:21:36.349 -0500 ERROR ExecProcessor - message from "python /oap/poap/a00/splunk/etc/apps/eStreamer/bin/client_check.py" Oct 24 15:21:36 [20956] Daemonizing process

But manually invoking the client_check.py script shows that client is running, Splunk has permission to read the script as well

-rwxr-xr-x 1 splunk splunk     8753 Oct 18 13:28 client_check.py

splunk@eagnmnmbp275:/oap/poap/a00/splunk/etc/apps/eStreamer/bin> ./client_check.py
event_sec=1477341054 status_id=1 status="eStreamer client is running."

Can someone assist me in troubleshooting this issue?

Thanks

Mohammed

douglashurd
Builder

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore
https://splunkbase.splunk.com/app/3662/

eNcore Dashboard
https://splunkbase.splunk.com/app/3663/

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma

cstarford
Explorer

Im having the same issue... eStreamer Dashboard shows 'RUNING'. There is no eStreamer.log file created and see the following in splunkd.log:

11-07-2016 13:38:37.451 +0000 INFO ExecProcessor - New scheduled exec process: python /opt/splunk/etc/apps/eStreamer/bin/client_check.py
11-07-2016 13:38:37.662 +0000 INFO TailingProcessor - Parsing configuration stanza: monitor://$SPLUNK_HOME/etc/apps/eStreamer/log.
11-07-2016 13:38:37.663 +0000 INFO TailingProcessor - Adding watch on path: /opt/splunk/etc/apps/eStreamer/log.
11-07-2016 13:43:42.110 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/eStreamer/bin/client_check.py" Nov 07 13:43:42 [129229] Daemonizing process

0 Karma

anandhalagaras1
Path Finder

@cstarford I am getting the same issue now. Can i know how did you resolved it.

0 Karma