All Apps and Add-ons

Splunk Stream Add-On for Stream Forwarders not connecting to search indexer with "wrong version number" error?

M00nc4t
Engager

I'm running a tiny proof-of-concept Splunk environment across 2 VMs. SE is on VM1 (Ubuntu 20.04), version 8.1.1. The universal forwarder is on VM2 (Ubuntu 20.04) and is sending the Splunk_TA_nix add-on metric data back just fine.

I have installed/configured version 7.3 of the Splunk Stream Add-On for Stream Forwarders on the universal forwarder and installed the Splunk Stream App on the SE VM, also version 7.3. 

On the forwarder there are the following conf files in /opt/splunkforwarder/etc/apps/Splunk_TA_stream/local:

----inputs.conf----

splunk_stream_app_location = https://10.0.2.15:8000/en-us/custom/splunk_app_stream/

stream_forwarder_id = 

disabled = 0

---------------------------

----streamfwd.conf----

port = 8889

ipAddr = 127.0.0.1

----------------------------

I can't get the network stream data from the forwarder into the SE search/reporting app, or the SE Stream app. The /opt/splunkforwarder/var/log/splunk/streamfwd.log is the only thing from the stream add-on on the forwarder that will place any data in SE at all and includes an error that says:

(CaptureServer.cpp:2211) stream.CaptureServer - unable to ping server (<longerrorcode>): Unable to establish connection to 10.0.2.15: wrong version number

8.1 should be compatible with the 7.3 installs of either stream app. Additionally I haven't seen anything mandating a specified version number anywhere. 

Things I have tried:

I can successfully ping SE at https://10.0.2.15:8000.

Tried modifying the .conf files in apps/default on the forwarder, which the docs say you're not supposed to do. Didn't work.

Tried all manner of switching port numbers in the .conf files.

Restarted many, many times. 

I am out of ideas. Someone please help?

 

 

Labels (1)
0 Karma

kennybirdwell
Explorer

Same worked for me as well, thanks.

0 Karma

M00nc4t
Engager

Problem has been solved. Solution:

Modifying the inputs.conf file in /opt/splunkforwarder/etc/apps/Splunk_TA_stream/local to use HTTP...not HTTPS. 

Hope this helps someone. 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...