Hi,
Good Day.
I've been trying to use splunk app for stream. I followed the installation procedure to the letter but whenever I search for the stream(source="stream") I get 0 results. Has anyone encountered this?
I am hoping someone could help me fix or troubleshoot my issue. Thank you in advance.
edit: steps i did
i am stuck on the next part because i cannot search any file probably because it is not indexing any. any help would be much appreciated. thank you
I just verified that using the "Find More Apps" browser in the Splunk Enterprise UI to download and install App for Stream causes it to drop certain necessary files from the installation package. If the UI at http://localhost:8889 opens a pop-up asking you to add a new server, you have probably fallen victim to this bug. You can correct this by following these steps:
If you download the splunk_app_stream.tar.gz file directly from apps.splunk.com and either uncompress it manually or use the "Install from file" feature in the Splunk Enterprise UI, it works properly. Only the "Find More Apps" browser is corrupting the download.
SnifferReactor no capture network interfaces
can be bypassed by specifying the nic name in the capture in streamfwd xml file.
I just verified that using the "Find More Apps" browser in the Splunk Enterprise UI to download and install App for Stream causes it to drop certain necessary files from the installation package. If the UI at http://localhost:8889 opens a pop-up asking you to add a new server, you have probably fallen victim to this bug. You can correct this by following these steps:
If you download the splunk_app_stream.tar.gz file directly from apps.splunk.com and either uncompress it manually or use the "Install from file" feature in the Splunk Enterprise UI, it works properly. Only the "Find More Apps" browser is corrupting the download.
Same issue:
- newest Splunk (6.3.3)
- newest stream (6.4.2)
- installed manually (from file)
- confirmed permissions
- wire input set properly (it was done for me automagically) and enabled
-- even did the trick of restarting it as described above
- enabled all the default streams
- did the kernel buffer resizing trick
- confirmed inputs.conf is correct (according to documentation)
- edited streamfwd.xml to use correct interface (according to documentation)
- confirmed interface is getting data with tcpdump
- restarted Splunk instance (a couple of times...)
- sacrificed a large chicken
No data shown in source="stream*" or in the UI.
Perhaps the streamfwd.log file doesn't exist any more in this version, or didn't get created...?
This problem has been fixed in the 6.0.2 release, which is now available for download at http://apps.splunk.com/app/1809/
I encountered a similar problem when installing it via web but when i first downloaded the file and then installed from file it worked properly.
I effectively encountered the following situation
- The streamforwarder process was running
- responding UI on localhost:8889 but i got immediately a pop up asking me to add server on 8888, in the UI I could not do anything since I get a "you do not have the permission to perform PUT requests" or so
- the UI also didn't show a splunk destination like localhost:8000
When it works properly
- streamforwarder process is running
- UI is responding on localhost:8889 showing one table for the stream forwarder and one table for splunk
Do you see any error messages in your $SPLUNK_HOME/var/log/splunk/streamfwd.log file? Do you see a "streamfwd" executable running (as root) and are you able to access it at http://localhost:8889 ?
I downvoted this post because no such file...?