All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Stream - Failed to detect Splunk_TA_stream status

alexiflo
Observer
‎08-18-2023 04:25 PM

Hello,

I am attempting to install the Splunk Stream but am running into issues after installing the necessary packages. I am installing the Stream App on a standalone Splunk instance on a VM and have tried on Ubuntu 22.04, Windows 10, Windows 2019 Server both on-premise and in AWS/Azure and am running to the exact same issue. 

After installing the Splunk App for Stream, Wire Data add-on, and Stream Forwarder add-on as instructed on the link below,  when I check the 'Collect data from this machine using Wire Data input (Splunk_TA_stream)', I get the following error:  Failed to detect Splunk_TA_stream status. 

https://docs.splunk.com/Documentation/StreamApp/7.4.0/DeployStreamApp/InstallSplunkAppforStreaminasi...

Pressing 'Redetect' does not help and running the permissions.sh script does not change anything. The Splunk instance itself is a fresh install (no additional configurations) and no other Apps besides Stream and its required add-ons have been installed.

Can someone please hep provide an explanation to this error code I am getting and why it is happened, regardless of which OS I am using? Is there additional steps I must complete? Any guidance is appreciated.

The workflow I have done is as follows:

1. deploy VM (on-prem or cloud, I have used both Ubuntu 22.07 and Windows)

2. install Splunk Enterprise on new VM

3. install Splunk App for Stream, Wire Data add-on, and Stream Forwarder

4. Restart the Splunk instance

Splunk_TA_stream.png

Labels (2)
Labels
0 Karma
Reply

schmi_ma
Engager
‎12-09-2024 07:46 AM

Was this ever solved? I am currently facing the same issue. I have already spent an afternoon trying to fix the permissions but nothing seems to work.

0 Karma
Reply

schmi_ma
Engager
‎12-09-2024 09:38 AM

I'll just reply to myself here:

The issue was that the hostname for some reason doesn't resolve properly in the inputs.conf file. It is supposed to automatically insert the actual hostname, but it doesn't.

I created the file "$SPLUNK_HOME/etc/system/default/inputs.conf" (as it didn't exist yet) and entered the following lines (replace [HOSTNAME] with the name of your host system running Splunk):

 

[default]
host = [HOSTNAME]

 

 This should override the default configuration in "$SPLUNK_HOME/etc/system/local/inputs.conf".

Afterwards, everything worked correctly

Reply

shunmu_jan28
Engager
4 weeks ago

This one actually fixed the issue been working on this over a day without a solution

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...