All Apps and Add-ons

Splunk App for Stream not capturing any data

switch13
New Member

Hi,

Good Day.
I've been trying to use splunk app for stream. I followed the installation procedure to the letter but whenever I search for the stream(source="stream") I get 0 results. Has anyone encountered this?
I am hoping someone could help me fix or troubleshoot my issue. Thank you in advance.

edit: steps i did

  1. new instance of splunk enterprise 6.1.3
  2. installed splunk app for stream via web
  3. granted proper permission to Splunk_TA_stream
  4. enable wire data from data inputs.

i am stuck on the next part because i cannot search any file probably because it is not indexing any. any help would be much appreciated. thank you

Tags (1)
0 Karma
1 Solution

mdickey_splunk
Splunk Employee
Splunk Employee

I just verified that using the "Find More Apps" browser in the Splunk Enterprise UI to download and install App for Stream causes it to drop certain necessary files from the installation package. If the UI at http://localhost:8889 opens a pop-up asking you to add a new server, you have probably fallen victim to this bug. You can correct this by following these steps:

  • cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
  • touch darwin_x86_64/bin/.modinput linux_x86/bin/.modinput linux_x86_64/.modinput
  • Restart the "Wire Data" data input in Splunk's UI by clicking "disable" and then "enable"

If you download the splunk_app_stream.tar.gz file directly from apps.splunk.com and either uncompress it manually or use the "Install from file" feature in the Splunk Enterprise UI, it works properly. Only the "Find More Apps" browser is corrupting the download.

View solution in original post

Akili
Path Finder

SnifferReactor no capture network interfaces

can be bypassed by specifying the nic name in the capture in streamfwd xml file.

0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

I just verified that using the "Find More Apps" browser in the Splunk Enterprise UI to download and install App for Stream causes it to drop certain necessary files from the installation package. If the UI at http://localhost:8889 opens a pop-up asking you to add a new server, you have probably fallen victim to this bug. You can correct this by following these steps:

  • cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
  • touch darwin_x86_64/bin/.modinput linux_x86/bin/.modinput linux_x86_64/.modinput
  • Restart the "Wire Data" data input in Splunk's UI by clicking "disable" and then "enable"

If you download the splunk_app_stream.tar.gz file directly from apps.splunk.com and either uncompress it manually or use the "Install from file" feature in the Splunk Enterprise UI, it works properly. Only the "Find More Apps" browser is corrupting the download.

Michael
Contributor

Same issue:
- newest Splunk (6.3.3)
- newest stream (6.4.2)
- installed manually (from file)
- confirmed permissions
- wire input set properly (it was done for me automagically) and enabled
-- even did the trick of restarting it as described above
- enabled all the default streams
- did the kernel buffer resizing trick
- confirmed inputs.conf is correct (according to documentation)
- edited streamfwd.xml to use correct interface (according to documentation)
- confirmed interface is getting data with tcpdump
- restarted Splunk instance (a couple of times...)
- sacrificed a large chicken

No data shown in source="stream*" or in the UI.
Perhaps the streamfwd.log file doesn't exist any more in this version, or didn't get created...?

0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

This problem has been fixed in the 6.0.2 release, which is now available for download at http://apps.splunk.com/app/1809/

mathiask
Communicator

I encountered a similar problem when installing it via web but when i first downloaded the file and then installed from file it worked properly.

I effectively encountered the following situation
- The streamforwarder process was running
- responding UI on localhost:8889 but i got immediately a pop up asking me to add server on 8888, in the UI I could not do anything since I get a "you do not have the permission to perform PUT requests" or so
- the UI also didn't show a splunk destination like localhost:8000

When it works properly
- streamforwarder process is running
- UI is responding on localhost:8889 showing one table for the stream forwarder and one table for splunk

mdickey_splunk
Splunk Employee
Splunk Employee

Do you see any error messages in your $SPLUNK_HOME/var/log/splunk/streamfwd.log file? Do you see a "streamfwd" executable running (as root) and are you able to access it at http://localhost:8889 ?

0 Karma

Michael
Contributor

I downvoted this post because no such file...?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...