Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Stream TA - Unable to ping server
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I have a distributed environment containing the following:
- 3 x Search heads (1 captain)
- 4 x Indexers clustered
- 1 x dedicated linux server for Splunk Stream (UF + TA addon)
- 1 x deployment server
- 1x SHCD
- 1x CM
The problem I am having is that for unknown reasons the dedicated splunk stream server is now unable to ping the server with the splunk stream app.
This all was working but I fear I have made a config slip up somewhere.
The Splunk stream TA is deployed to the dedicated stream server from the deployment server and contains the following files/config
- inputs.conf
- streamfwdlog.conf
inputs.conf -
[streamfwd://streamfwd]
splunk_stream_app_location = https://<SERVER_IP>:8000/en-us/app/splunk_app_stream/
stream_forwarder_id =
disabled = 0
I am able to successfully navigate to the stream app location
But the streamfwd logs are showing the following error message
- stream.CaptureServer - Unable to ping server (d6e0ed72-789a-4044-95f7-7de95ddbb221): /en-us/app/splunk_app_stream/ping/ status=303
If I navigate to the same URL with "ping" appended then it returns a 404.
If you require any other info please let me know.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
### Update - Resolved ###
Issue has been resolved.
All the inputs.conf files had the following URL configured:
- 8000/en-us/app/splunk_app_stream/
The Splunk Stream TA will try and append "ping" to the URL in the inputs.conf.
The appended ping only exists on the following URL
- 8000/en-us/custom/splunk_app_stream/
So the fix is to change the URL to en-us/custom/splunk_app_stream/ instead of en-us/app/splunk_app_stream/ in your TA inputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
### Update - Resolved ###
Issue has been resolved.
All the inputs.conf files had the following URL configured:
- 8000/en-us/app/splunk_app_stream/
The Splunk Stream TA will try and append "ping" to the URL in the inputs.conf.
The appended ping only exists on the following URL
- 8000/en-us/custom/splunk_app_stream/
So the fix is to change the URL to en-us/custom/splunk_app_stream/ instead of en-us/app/splunk_app_stream/ in your TA inputs.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You deserve all the kudos.
We had app and custom did the trick.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This really helped me fix my problem.
this should definitely go in the Splunk Stream docs. There are numerous additions required to the docs.
Please convert your reply into an "answer"
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
