All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Stream : Stream Forwarder Auth option in Distributed Forwarder Management

colineltringham
Explorer
‎05-04-2017 11:51 AM

Hi,

I've setup and installed Splunk Stream in a test environment consisting of 1 single deployment and 1 universal forwarder. Everything is working as expected, and i am able to receive data from both sources.

If i try to enable "Stream Forwarder Auth" and enter the Token for the HTTP Collector, soon as i hit apply or there about the stream forwarders fail and i see 401 errors in the webaccess.log, as well as

2017-05-04 19:37:46 ERROR 11552 stream.CaptureServer - Unable to ping server (9c32732f-aa86-4b9d-8735-55d71369e32c): /en-us/custom/splunk_app_stream/ping/ status=401

in the streamfwd.log files

Clearly i am missing a configuration step.

I've read about the streamfwd.conf file and in there is is an option:
httpEventCollectorToken I've set that to be the value of the Collector token manually also but that hasn't changed anything.

does anyone have any ideas what i could try?

Thanks

Colin

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

colineltringham
Explorer
‎05-09-2017 04:06 PM

Hi @vshcherbakov_splunk

authToken gives "Invalid key in stanza [streamfwd] in C:\Program Files\Splunk\etc\apps\Splunk_TA_stream\local\streamfwd.conf, line 5: authToken "

when in streamfwd.conf - i had already tried that. What i don't understand is that it appears to be a valid key in the standalone forwarder but not the TA. Is that expected behavior?

the README section in the TA doesn't list authToken anywhere as a valid key, neither do the defaults.

Any other suggestions?

thanks

Colin

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

colineltringham
Explorer
‎05-09-2017 04:06 PM

Hi @vshcherbakov_splunk

authToken gives "Invalid key in stanza [streamfwd] in C:\Program Files\Splunk\etc\apps\Splunk_TA_stream\local\streamfwd.conf, line 5: authToken "

when in streamfwd.conf - i had already tried that. What i don't understand is that it appears to be a valid key in the standalone forwarder but not the TA. Is that expected behavior?

the README section in the TA doesn't list authToken anywhere as a valid key, neither do the defaults.

Any other suggestions?

thanks

Colin

0 Karma
Reply
Solved! Jump to solution

vshcherbakov_sp
Splunk Employee
Splunk Employee
‎05-09-2017 04:15 PM

Hi Colin,

I believe the "invalid key in stanza " error caused by a bug (namely authToken being omitted in streamfwd.conf.spec). This parameter is applicable to both independent forwarder and TA, so as a workaround I'd suggest adding it to streamfwd.conf.spec manually (ie authToken = <value>)

0 Karma
Reply
Solved! Jump to solution

colineltringham
Explorer
‎05-09-2017 04:42 PM

excellent - that did the trick. Adding the authToken key to the Spec file in the readme folder and adding to the streamfwd.conf with the same key as in the HTTPCollector and the Forwarder Auth and everything seems to be talking.

Just need to play around to find out exactly what is needed where exactly.

Thanks for the help

Colin

0 Karma
Reply
Solved! Jump to solution

vshcherbakov_sp
Splunk Employee
Splunk Employee
‎05-09-2017 03:54 PM

Hi @colineltringham,

I believe you need to set the authToken parameter in streamfwd.conf to match the Stream Auth Token set up on the SH.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...