- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Good Day.
I've been trying to use splunk app for stream. I followed the installation procedure to the letter but whenever I search for the stream(source="stream") I get 0 results. Has anyone encountered this?
I am hoping someone could help me fix or troubleshoot my issue. Thank you in advance.
edit: steps i did
- new instance of splunk enterprise 6.1.3
- installed splunk app for stream via web
- granted proper permission to Splunk_TA_stream
- enable wire data from data inputs.
i am stuck on the next part because i cannot search any file probably because it is not indexing any. any help would be much appreciated. thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just verified that using the "Find More Apps" browser in the Splunk Enterprise UI to download and install App for Stream causes it to drop certain necessary files from the installation package. If the UI at http://localhost:8889 opens a pop-up asking you to add a new server, you have probably fallen victim to this bug. You can correct this by following these steps:
- cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
- touch darwin_x86_64/bin/.modinput linux_x86/bin/.modinput linux_x86_64/.modinput
- Restart the "Wire Data" data input in Splunk's UI by clicking "disable" and then "enable"
If you download the splunk_app_stream.tar.gz file directly from apps.splunk.com and either uncompress it manually or use the "Install from file" feature in the Splunk Enterprise UI, it works properly. Only the "Find More Apps" browser is corrupting the download.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SnifferReactor no capture network interfaces
can be bypassed by specifying the nic name in the capture in streamfwd xml file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just verified that using the "Find More Apps" browser in the Splunk Enterprise UI to download and install App for Stream causes it to drop certain necessary files from the installation package. If the UI at http://localhost:8889 opens a pop-up asking you to add a new server, you have probably fallen victim to this bug. You can correct this by following these steps:
- cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
- touch darwin_x86_64/bin/.modinput linux_x86/bin/.modinput linux_x86_64/.modinput
- Restart the "Wire Data" data input in Splunk's UI by clicking "disable" and then "enable"
If you download the splunk_app_stream.tar.gz file directly from apps.splunk.com and either uncompress it manually or use the "Install from file" feature in the Splunk Enterprise UI, it works properly. Only the "Find More Apps" browser is corrupting the download.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Same issue:
- newest Splunk (6.3.3)
- newest stream (6.4.2)
- installed manually (from file)
- confirmed permissions
- wire input set properly (it was done for me automagically) and enabled
-- even did the trick of restarting it as described above
- enabled all the default streams
- did the kernel buffer resizing trick
- confirmed inputs.conf is correct (according to documentation)
- edited streamfwd.xml to use correct interface (according to documentation)
- confirmed interface is getting data with tcpdump
- restarted Splunk instance (a couple of times...)
- sacrificed a large chicken
No data shown in source="stream*" or in the UI.
Perhaps the streamfwd.log file doesn't exist any more in this version, or didn't get created...?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This problem has been fixed in the 6.0.2 release, which is now available for download at http://apps.splunk.com/app/1809/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I encountered a similar problem when installing it via web but when i first downloaded the file and then installed from file it worked properly.
I effectively encountered the following situation
- The streamforwarder process was running
- responding UI on localhost:8889 but i got immediately a pop up asking me to add server on 8888, in the UI I could not do anything since I get a "you do not have the permission to perform PUT requests" or so
- the UI also didn't show a splunk destination like localhost:8000
When it works properly
- streamforwarder process is running
- UI is responding on localhost:8889 showing one table for the stream forwarder and one table for splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you see any error messages in your $SPLUNK_HOME/var/log/splunk/streamfwd.log file? Do you see a "streamfwd" executable running (as root) and are you able to access it at http://localhost:8889 ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I downvoted this post because no such file...?