Re: Splunk Stream TA with capturing capability tur...

support0 · ‎09-30-2017

Hi there,

I have deployed Splunk Stream on a distributed environment to ingest DNS first.

I have followed howtos here and there and everything is fine with collected data.

One thing remains unclear.

I have Splunk Stream + Stream TA on my ES Search Head
Stream TA on another Search Head > just for parsing
Stream TA on Deployement Server > just for parsing
Stream TA on Indexer > for indexing, timestamp etc.
Stream TA + inputs on DNS servers

However I do receive error messages from SH, DS & IDX mentioning permission issues :

Unable to initialize modular input "streamfwd" defined inside the app "Splunk_TA_stream": Introspecting scheme=streamfwd: Unable to run "/opt/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd --scheme": child failed to start: Permission denied

I have already used set_permissions.sh so that might be due to the the fact that Splunk is running as non-root.

However, on these instance, the TA is not there for capturing any stream, so isn't better to just turn off TA's network capturing capability ?

I am wondering what files should I removed from the TA to do this and if this is is a good idea to do so.

Thanks in advance,

support0 · ‎10-05-2017

Hi,

Thanks for the help,

Actually I had the same issue than the one described there :

https://answers.splunk.com/answers/475630/splunk-app-for-stream-why-does-set-permissionssh-s.html

So I resolved it the same way.

Thanks

vshcherbakov_sp · ‎10-02-2017

Have you checked whether streamfwd modular input is disabled on IDX/SH/DS instances?

Splunk Stream TA with capturing capability turned off

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!