I face a special problem on starting stream forwarder as a service on Ubuntu 18.04 (as dedicated mode) and it can not start unless I use this command:
Using other start methods, I receive this error on streamfwd.log:
2020-07-10 20:02:11 INFO  (CaptureServer.cpp:452) stream.CaptureServer - Launch child process for dedicated capture mode
2020-07-10 20:02:11 INFO  (CaptureServer.cpp:490) stream.CaptureServer - Launch child process for restoring interfaces
2020-07-10 20:02:11 INFO  (CaptureServer.cpp:816) stream.CaptureServer - Found DataDirectory: /opt/streamfwd/data
2020-07-10 20:02:11 INFO  (CaptureServer.cpp:822) stream.CaptureServer - Found UIDirectory: /opt/streamfwd/ui
2020-07-10 20:02:11 ERROR  (SnifferReactor/DpdkNetworkCapture.cpp:1308) stream.NetworkCapture - Error: basic_string::_S_construct null not valid
2020-07-10 20:02:11 FATAL  (main.cpp:1150) stream.main - Failed to start streamfwd, the process will be terminated: DPDK failed to initialize
2020-07-10 20:02:11 INFO  (CaptureServer.cpp:622) stream.CaptureServer - kernel interfaces restored
Have you any idea for resolving this problem?
I've just remembered another little problem, perhaps is your case:
There is no template called Splunk. If you search on /opt/streamfwd/configs, you will only find two templates, one for ES, and another for ITSI.
You have to create another directory under /optstreamfwd/configs (I called it Splunk) and select and modify for your needs the xml files you will find on these templates. I started modifying those xml under the Default directory of Stream App located at the indexer, wich seam to have the same format.
If it doesn't work, check the log file located at /opt/streamfwd/var/log and post some errors here.
I had similar behaviour last month, but on CentOS 7. Try to use a template or create your own.
Now I'm using my own template and works pretty stable.
If you have many filters or aggregations, some problems could occur.
Also you need some tunning in streamfwd.conf, that's mine as example:
port = 8889
ipAddr = 127.0.0.1
dedicatedCaptureMode = 1
streamfwdcapture.0.interface = 0000:00:13.0
#usePacketMemoryPool = true
#streamfwdcapture.0.interface = eth1
streamfwdcapture.0.offline = false
configTemplateName = splunk
pcapBufferSize = 40000000000
maxTcpSessionCount = 1000000
maxTcpReassemblyPacketCount = 2000000
maxEventQueueSize = 100000000
maxPacketQueueSize = 16777216
maxEventAttributes = 2000
tcpConnectionTimeout = 10
processingThreads = 24
httpEventCollectorToken = 743e2231-8.......
indexer.0.uri = http://yourindexer:8088
Hope it helps!