All Apps and Add-ons

Splunk Stream: Failed to detect Splunk_TA_stream status

Explorer

I just installed the Stream App on an on-prem heavy fowarder and when I select the "Collect data from this machine using Wire Data input (SplunkTAstream)." I get the following error:

Failed to detect SplunkTAstream status.

the splunkappstream log shows me:

Error getting the streamfwd auth, return streamfwd auth is disabled

Has anyone encountered this issue? If so can you please provide insight on how to solve it?

Regards,

Splunk Employee
Splunk Employee

Seems like there's something wrong with the Stream app install.. There should be exception info logged before the error you're quoting. Can you provide a larger snippet of splunkappstream.log file around the error?

0 Karma

Explorer

Thank you for getting back!

More error details below:

2017-11-08 15:14:49,980 ERROR streamsutils:270 - Error getting the streamfwd auth, return streamfwd auth is disabled
2017-11-08 15:14:54,559 ERROR stream
kvstoreutils:115 - KV store failed to start, setting the kv store fatal error flag to true
2017-11-08 15:14:54,559 INFO stream
kvstoreutils:177 - iskvstoreready, kv store status :: failed
2017-11-08 15:14:54,559 INFO streamkvstoreutils:178 - searchheadshcmember:: serverroles [u'licensemaster', u'deploymentserver']
2017-11-08 15:14:54,559 ERROR streamkvstoreutils:200 - kvstorerestrequest: Timedout waiting for KVstore status False to be ready
2017-11-08 15:14:54,559 ERROR stream
kvstoreutils:340 - readkvstoreappsmeta: Error getting apps meta from kv store collection, reason Timedout waiting for KVstore status to be ready
2017-11-08 15:14:54,559 ERROR stream
kvstoreutils:193 - kvstorerestrequest: fatal error kv store failed to start
2017-11-08 15:14:54,559 ERROR streamfwdauth:62 - expected string or buffer
Traceback (most recent call last):
File "E:\Program Files\Splunk\etc\apps\splunkappstream\bin\splunkappstream\models\streamfwdauth.py", line 53, in get
return readfromkvstorecoll(streamfwdauthkvstorewithsessionkeyuri, sessionKey)
File "E:\Program Files\Splunk\etc\apps\splunk
appstream\bin\streamkvstoreutils.py", line 277, in readfromkvstorecoll
jsonResp = json.loads(serverContent)
File "E:\Program Files\Splunk\Python-2.7\Lib\json_
init.py", line 339, in loads
return defaultdecoder.decode(s)
File "E:\Program Files\Splunk\Python-2.7\Lib\json\decoder.py", line 364, in decode
obj, end = self.rawdecode(s, idx=w(s, 0).end())
TypeError: expected string or buffer
2017-11-08 15:14:54,980 ERROR streamsutils:269 - [HTTP 500] Splunkd internal error; []
Traceback (most recent call last):
File "C:\Program Files\Splunk\etc\apps\splunk
appstream\bin\streamutils.py", line 262, in validatestreamfwdauth
timeout=15
File "C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\rest__init
.py", line 564, in simpleRequest
raise splunk.InternalServerError, (None, serverResponse.messages)
InternalServerError: [HTTP 500] Splunkd internal error; []
2017-11-08 15:14:54,980 ERROR streams_utils:270 - Error getting the streamfwd auth, return streamfwd auth is disabled

0 Karma

Splunk Employee
Splunk Employee

Thanks for providing the log; I believe the problem is due to the KV store being not operational. I'd suggest looking at the mongod.log to see if it's due to expired SSL certificate (the most likely cause per my experience) or some other issue..

0 Karma