Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Stream Start Error on Ubuntu 18.04
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all
I face a special problem on starting stream forwarder as a service on Ubuntu 18.04 (as dedicated mode) and it can not start unless I use this command:
/opt/streamfwd/bin/streamfwd -D
Using other start methods, I receive this error on streamfwd.log:
2020-07-10 20:02:11 INFO [140564408074944] (CaptureServer.cpp:452) stream.CaptureServer - Launch child process for dedicated capture mode
2020-07-10 20:02:11 INFO [139766768343360] (CaptureServer.cpp:490) stream.CaptureServer - Launch child process for restoring interfaces
2020-07-10 20:02:11 INFO [139766768343360] (CaptureServer.cpp:816) stream.CaptureServer - Found DataDirectory: /opt/streamfwd/data
2020-07-10 20:02:11 INFO [139766768343360] (CaptureServer.cpp:822) stream.CaptureServer - Found UIDirectory: /opt/streamfwd/ui
2020-07-10 20:02:11 ERROR [139766768343360] (SnifferReactor/DpdkNetworkCapture.cpp:1308) stream.NetworkCapture - Error: basic_string::_S_construct null not valid
2020-07-10 20:02:11 FATAL [139766768343360] (main.cpp:1150) stream.main - Failed to start streamfwd, the process will be terminated: DPDK failed to initialize
2020-07-10 20:02:11 INFO [140041836300608] (CaptureServer.cpp:622) stream.CaptureServer - kernel interfaces restored
Have you any idea for resolving this problem?
TNX
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TNX for all suggestions!
I finally succeeded upgrading to new coming stream 7.3! The problem does not exist in that version!
Thanks again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TNX for all suggestions!
I finally succeeded upgrading to new coming stream 7.3! The problem does not exist in that version!
Thanks again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good to know, thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've just remembered another little problem, perhaps is your case:
- You have to modify the start Script of Streamfwd
- This is the path: /etc/init.d/streamfwd
- You have to add these lines to the script, as the error is related to a non existing directory /var/run/streamfwd
- if [ ! -d /var/run/streamfwd ]; then
- mkdir /var/run/streamfwd/
- fi
- Check if it's your case too and please comment.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TNX. But, it didn't work! Is there anything different about configTemplateName (splunk) from default?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi banaie,
There is no template called Splunk. If you search on /opt/streamfwd/configs, you will only find two templates, one for ES, and another for ITSI.
You have to create another directory under /optstreamfwd/configs (I called it Splunk) and select and modify for your needs the xml files you will find on these templates. I started modifying those xml under the Default directory of Stream App located at the indexer, wich seam to have the same format.
If it doesn't work, check the log file located at /opt/streamfwd/var/log and post some errors here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Banaie,
I had similar behaviour last month, but on CentOS 7. Try to use a template or create your own.
Now I'm using my own template and works pretty stable.
If you have many filters or aggregations, some problems could occur.
Also you need some tunning in streamfwd.conf, that's mine as example:
[streamfwd]
port = 8889
ipAddr = 127.0.0.1
dedicatedCaptureMode = 1
streamfwdcapture.0.interface = 0000:00:13.0
#streamfwdcapture.0.filter =
uioDriverModuleName=uio_pci_generic
#usePacketMemoryPool = true
#streamfwdcapture.0.interface = eth1
streamfwdcapture.0.offline = false
configTemplateName = splunk
pcapBufferSize = 40000000000
maxTcpSessionCount = 1000000
maxTcpReassemblyPacketCount = 2000000
maxEventQueueSize = 100000000
maxPacketQueueSize = 16777216
maxEventAttributes = 2000
tcpConnectionTimeout = 10
processingThreads = 24
httpEventCollectorToken = 743e2231-8.......
indexer.0.uri = http://yourindexer:8088
Hope it helps!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
