All Apps and Add-ons

Splunk Stream Start Error on Ubuntu 18.04

banaie
Path Finder

Hi all

I face a special problem on starting stream forwarder as a  service on Ubuntu 18.04 (as dedicated mode) and it can not start unless I use this command:

/opt/streamfwd/bin/streamfwd -D

 

Using other start methods, I receive this error on streamfwd.log:

2020-07-10 20:02:11 INFO [140564408074944] (CaptureServer.cpp:452) stream.CaptureServer - Launch child process for dedicated capture mode
2020-07-10 20:02:11 INFO [139766768343360] (CaptureServer.cpp:490) stream.CaptureServer - Launch child process for restoring interfaces
2020-07-10 20:02:11 INFO [139766768343360] (CaptureServer.cpp:816) stream.CaptureServer - Found DataDirectory: /opt/streamfwd/data
2020-07-10 20:02:11 INFO [139766768343360] (CaptureServer.cpp:822) stream.CaptureServer - Found UIDirectory: /opt/streamfwd/ui
2020-07-10 20:02:11 ERROR [139766768343360] (SnifferReactor/DpdkNetworkCapture.cpp:1308) stream.NetworkCapture - Error: basic_string::_S_construct null not valid
2020-07-10 20:02:11 FATAL [139766768343360] (main.cpp:1150) stream.main - Failed to start streamfwd, the process will be terminated: DPDK failed to initialize
2020-07-10 20:02:11 INFO [140041836300608] (CaptureServer.cpp:622) stream.CaptureServer - kernel interfaces restored

 

Have you any idea for resolving this problem?

 

TNX

Labels (3)
0 Karma
1 Solution

banaie
Path Finder

TNX for all suggestions!

I finally succeeded upgrading to new coming stream 7.3! The problem does not exist in that version!

Thanks again

View solution in original post

0 Karma

banaie
Path Finder

TNX for all suggestions!

I finally succeeded upgrading to new coming stream 7.3! The problem does not exist in that version!

Thanks again

0 Karma

jraso
Explorer

Good to know, thanks!

0 Karma

jraso
Explorer

I've just remembered another little problem, perhaps is your case:

  • You have to modify the start Script of Streamfwd
    • This is the path: /etc/init.d/streamfwd 
    • You have to add these lines to the script, as the error is related to a non existing directory /var/run/streamfwd
      • if [ ! -d /var/run/streamfwd ]; then
      •   mkdir /var/run/streamfwd/
      • fi
  • Check if it's your case too and please comment.
0 Karma

banaie
Path Finder

@jraso 

TNX. But, it didn't work! Is there anything different about configTemplateName (splunk) from default?

0 Karma

jraso
Explorer

Hi banaie,

There is no template called Splunk. If you search on /opt/streamfwd/configs, you will only find two templates, one for ES, and another for ITSI.

You have to create another directory under /optstreamfwd/configs (I called it Splunk) and select and modify for your needs the xml files you will find on these templates. I started modifying those xml under the Default directory of  Stream App located at the indexer, wich seam to have the same format.

If it doesn't work, check the log file located at /opt/streamfwd/var/log and post some errors here.

0 Karma

jraso
Explorer

Hi Banaie,

I had similar behaviour last month, but on CentOS 7. Try to use a template or create your own.

Now I'm using my own template and works pretty stable.

If you have many filters or aggregations, some problems could occur.

Also you need some tunning in streamfwd.conf, that's mine as example:

[streamfwd]
port = 8889
ipAddr = 127.0.0.1
dedicatedCaptureMode = 1
streamfwdcapture.0.interface = 0000:00:13.0
#streamfwdcapture.0.filter = 
uioDriverModuleName=uio_pci_generic
#usePacketMemoryPool = true
#streamfwdcapture.0.interface = eth1
streamfwdcapture.0.offline = false
configTemplateName = splunk
pcapBufferSize = 40000000000
maxTcpSessionCount = 1000000
maxTcpReassemblyPacketCount = 2000000
maxEventQueueSize = 100000000
maxPacketQueueSize = 16777216
maxEventAttributes = 2000
tcpConnectionTimeout = 10
processingThreads = 24
httpEventCollectorToken = 743e2231-8.......
indexer.0.uri = http://yourindexer:8088

Hope it helps!

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...