I'm running a tiny proof-of-concept Splunk environment across 2 VMs. SE is on VM1 (Ubuntu 20.04), version 8.1.1. The universal forwarder is on VM2 (Ubuntu 20.04) and is sending the Splunk_TA_nix add-on metric data back just fine.
I have installed/configured version 7.3 of the Splunk Stream Add-On for Stream Forwarders on the universal forwarder and installed the Splunk Stream App on the SE VM, also version 7.3.
On the forwarder there are the following conf files in /opt/splunkforwarder/etc/apps/Splunk_TA_stream/local:
----inputs.conf----
splunk_stream_app_location = https://10.0.2.15:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id =
disabled = 0
---------------------------
----streamfwd.conf----
port = 8889
ipAddr = 127.0.0.1
----------------------------
I can't get the network stream data from the forwarder into the SE search/reporting app, or the SE Stream app. The /opt/splunkforwarder/var/log/splunk/streamfwd.log is the only thing from the stream add-on on the forwarder that will place any data in SE at all and includes an error that says:
(CaptureServer.cpp:2211) stream.CaptureServer - unable to ping server (<longerrorcode>): Unable to establish connection to 10.0.2.15: wrong version number
8.1 should be compatible with the 7.3 installs of either stream app. Additionally I haven't seen anything mandating a specified version number anywhere.
Things I have tried:
I can successfully ping SE at https://10.0.2.15:8000.
Tried modifying the .conf files in apps/default on the forwarder, which the docs say you're not supposed to do. Didn't work.
Tried all manner of switching port numbers in the .conf files.
Restarted many, many times.
I am out of ideas. Someone please help?
Same worked for me as well, thanks.
Problem has been solved. Solution:
Modifying the inputs.conf file in /opt/splunkforwarder/etc/apps/Splunk_TA_stream/local to use HTTP...not HTTPS.
Hope this helps someone.