Hi there, i have a small lab at home on which I am running splunk enterprise 9.0.0 build 6818ac46f2ec and a developer license. The Licensing » Installed licenses page shows 3 valid licenses with the following information:
creation_time | 2024-08-11 07:00:00+00:00 |
expiration_time | 2025-02-11 07:59:59+00:00 |
features |
|
is_unlimited | False |
label | Splunk Enterprise Term Non-Production License |
max_violations | 5 |
notes | None |
payload | None |
quota_bytes | 53687091200.0 |
sourcetypes | |
stack_name | enterprise |
status | VALID |
type | enterprise |
window_period | 30 |
creation_time | 2010-06-20 07:00:00+00:00 |
expiration_time | 2038-01-19 03:14:07+00:00 |
features |
|
hash | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD |
is_unlimited | False |
label | Splunk Forwarder |
max_violations | 5 |
notes | None |
payload | None |
quota_bytes | 1048576.0 |
sourcetypes | |
stack_name | forwarder |
status | VALID |
type | forwarder |
window_period | 30 |
creation_time | 2010-06-20 07:00:00+00:00 |
expiration_time | 2038-01-19 03:14:07+00:00 |
features |
|
hash | FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF |
is_unlimited | False |
label | Splunk Free |
max_violations | 3 |
notes | None |
payload | None |
quota_bytes | 524288000.0 |
sourcetypes | |
stack_name | free |
status | VALID |
type | free |
window_period | 30 |
I would like to experiment with Splunk Stream for capturing DNS records before implementing in our production environment. I have installed Splunk Stream 8.1.3 and most of the menu's within the app work, however when I go to Configuration > Distributed Forwarder Management it just displays a blank page.
When i look at the splunk_app_stream.log I can see the following error
2024-08-15 14:51:58,543 ERROR rest_indexers:62 - failed to get indexers peer
Traceback (most recent call last):
File "/opt/splunk/etc/apps/splunk_app_stream/bin/rest_indexers.py", line 55, in handle_GET
timeout=splunk.rest.SPLUNKD_CONNECTION_TIMEOUT
File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 612, in simpleRequest
raise splunk.LicenseRestriction
splunk.LicenseRestriction: [HTTP 402] Current license does not allow the requested action
2024-08-15 14:51:58,580 ERROR indexer:52 - failed to list indexers
Traceback (most recent call last):
File "/opt/splunk/etc/apps/splunk_app_stream/bin/splunk_app_stream/models/indexer.py", line 43, in get_indexers
timeout=splunk.rest.SPLUNKD_CONNECTION_TIMEOUT
File "/opt/splunk/lib/python3.7/site-packages/splunk/rest/__init__.py", line 669, in simpleRequest
raise splunk.InternalServerError(None, serverResponse.messages)
splunk.InternalServerError: [HTTP 500] Splunkd internal error; []
Does this mean that the splunk dev license does not support Splunk Stream app?
Splunk Stream utilities KVStore Services, 500 ERROR says that App is not able to communicate with KVStore. you can try to make fresh install it will solve this ERRORs and Problem you are facing.
It's not about Stream as such. As far as I remember (but I haven't used the Dev license for some time so don't quote me on that), the Dev license alleviate some limitations of the Free license (most importantly lets you have multiple users and schedule searches) but keeps some of them - single instance installation only and no forwarder management as far as I remember.
Hi Rick - thanks for the reply. I think forwarder management is supported as I have a deployment server running on the same instance - i have created server classes and deployed app's via this so that aspect appears to be working.
My plan was to run stream forwarder on the all in 1 instance and deploy the Splunk_TA_Stream app to my UF's. Should this be possible?
You're right. Come to think of it, my Dev licensed box also worked as DS. That's why I said to not quote me on that 😉
But seriously - the log suggests (you'd have to look in the code d0 verify) that the app is trying to list indexers. And this API endpoint might indeed be not available with Dev license since it's a single instance installation only license.