Dears,
I have installed Splunk 6.3.2 and Splunk App for Stream, but unfortunately, no data can be indexed and below errors appeared:
Unable to ping server (<server id>): Unable to establish connection to localhost: Connection refused
No capture devices found (no matches): (en|eth)[0-9]+
I have checked inputs.conf for in /opt/splunk/etc/apps/Splunk_TA_stream/local
and it's as below
[streamfwd://streamfwd]
splunk_stream_app_location = http://localhost:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id =
disabled = 0
please advise.
thanks in advance
Hello ahmedhassanean,
Can you open http://localhost:8000/en-us/custom/splunk_app_stream/ping URL in a browser?
I presume you have "full" Splunk App Stream (i.e. not just Splunk_TA_Stream) installed on localhost, correct? If not, you need to install it. If Splunk is running with SSL enabled, you need to use https:// instead of http://
Regarding "No capture devices found" error: what is your OS? What does ifconfig
command return? Have you run
sudo ./setuid.sh
script in /opt/splunk/etc/apps/Splunk_TA_stream/
?
Hello ahmedhassanean,
Can you open http://localhost:8000/en-us/custom/splunk_app_stream/ping URL in a browser?
I presume you have "full" Splunk App Stream (i.e. not just Splunk_TA_Stream) installed on localhost, correct? If not, you need to install it. If Splunk is running with SSL enabled, you need to use https:// instead of http://
Regarding "No capture devices found" error: what is your OS? What does ifconfig
command return? Have you run
sudo ./setuid.sh
script in /opt/splunk/etc/apps/Splunk_TA_stream/
?
i am running redhat 7.1 and i already run ./setuid.sh but problem solved when i edit configuration file and specify the interfaces that i want app stream to capture data from it despite that default behavior must capture data from all interfaces 🙂
I had the same error but another root cause: I changed the server port after the installing stream app but before configuring it. In order to resolve I had to change to set the correct port in the local inputs.conf in Splunk_TA_stream folder.
Great! Glad to hear you were able to resolve this problem. The default behavior is to capture on interfaces matching (en|eth)[0-9]+
regex, and seems like never versions of Redhat have different naming convention for network interfaces..