All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Stream Add-On for Stream Forwarders not connecting to search indexer with "wrong version number" error?

M00nc4t
Engager
‎08-11-2021 12:04 PM

I'm running a tiny proof-of-concept Splunk environment across 2 VMs. SE is on VM1 (Ubuntu 20.04), version 8.1.1. The universal forwarder is on VM2 (Ubuntu 20.04) and is sending the Splunk_TA_nix add-on metric data back just fine.

I have installed/configured version 7.3 of the Splunk Stream Add-On for Stream Forwarders on the universal forwarder and installed the Splunk Stream App on the SE VM, also version 7.3. 

On the forwarder there are the following conf files in /opt/splunkforwarder/etc/apps/Splunk_TA_stream/local:

----inputs.conf----

splunk_stream_app_location = https://10.0.2.15:8000/en-us/custom/splunk_app_stream/

stream_forwarder_id = 

disabled = 0

---------------------------

----streamfwd.conf----

port = 8889

ipAddr = 127.0.0.1

----------------------------

I can't get the network stream data from the forwarder into the SE search/reporting app, or the SE Stream app. The /opt/splunkforwarder/var/log/splunk/streamfwd.log is the only thing from the stream add-on on the forwarder that will place any data in SE at all and includes an error that says:

(CaptureServer.cpp:2211) stream.CaptureServer - unable to ping server (<longerrorcode>): Unable to establish connection to 10.0.2.15: wrong version number

8.1 should be compatible with the 7.3 installs of either stream app. Additionally I haven't seen anything mandating a specified version number anywhere. 

Things I have tried:

I can successfully ping SE at https://10.0.2.15:8000.

Tried modifying the .conf files in apps/default on the forwarder, which the docs say you're not supposed to do. Didn't work.

Tried all manner of switching port numbers in the .conf files.

Restarted many, many times. 

I am out of ideas. Someone please help?

 

 

Labels (1)
Labels
0 Karma
Reply

kennybirdwell
Explorer
‎12-16-2022 11:10 AM

Same worked for me as well, thanks.

0 Karma
Reply

M00nc4t
Engager
‎08-11-2021 01:50 PM

Problem has been solved. Solution:

Modifying the inputs.conf file in /opt/splunkforwarder/etc/apps/Splunk_TA_stream/local to use HTTP...not HTTPS. 

Hope this helps someone. 

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...