All Apps and Add-ons

Splunk Stream TA with capturing capability turned off

Path Finder

Hi there,

I have deployed Splunk Stream on a distributed environment to ingest DNS first.

I have followed howtos here and there and everything is fine with collected data.

One thing remains unclear.

I have Splunk Stream + Stream TA on my ES Search Head
Stream TA on another Search Head > just for parsing
Stream TA on Deployement Server > just for parsing
Stream TA on Indexer > for indexing, timestamp etc.
Stream TA + inputs on DNS servers

However I do receive error messages from SH, DS & IDX mentioning permission issues :

Unable to initialize modular input "streamfwd" defined inside the app "SplunkTAstream": Introspecting scheme=streamfwd: Unable to run "/opt/splunk/etc/apps/SplunkTAstream/linuxx8664/bin/streamfwd --scheme": child failed to start: Permission denied

I have already used set_permissions.sh so that might be due to the the fact that Splunk is running as non-root.

However, on these instance, the TA is not there for capturing any stream, so isn't better to just turn off TA's network capturing capability ?

I am wondering what files should I removed from the TA to do this and if this is is a good idea to do so.

Thanks in advance,

Tags (1)
0 Karma

Path Finder

Hi,

Thanks for the help,

Actually I had the same issue than the one described there :

https://answers.splunk.com/answers/475630/splunk-app-for-stream-why-does-set-permissionssh-s.html

So I resolved it the same way.

Thanks

0 Karma

Splunk Employee
Splunk Employee

Have you checked whether streamfwd modular input is disabled on IDX/SH/DS instances?

0 Karma