This might just be a sanity check....but I'll ask anyway.
Deployed Stream yesterday to around ~360 hosts (all Windows - need to run the setpermissions on the nix before they'll come up). Everything set to estimate except DNS which is rolled out to all hosts.
I can see a nice, constant flow of data into the stream index, ES is triggering notables, everything seems like it is working nicely.
I check out the Stream forwarder status and I'm bouncing around from 100-300 hosts with an error status over the last hour (this is constant since I've deployed) a fairly constant active of between 50-80 and a couple in a warning.
When I check out the internal logs I see this:
Unable to ping server (8f938d78-0c1b-43a6-b32c-e6e094e7bc2b): /en-us/custom/splunk_app_stream/ping/ status=502
Checked we can ping that. Also, check and these same hosts have data, in fact ALL hosts have data.
As I look in the Stream SH I see these corrosponding errors
1. if you installed "Splunk TA for Stream" or "Splunk App for Stream" (or both?!)
2. For ping error 502 Google gives me - "A 502 Bad Gateway indicates that the edge server (server acting as a proxy) was not able to get a valid or any response from the origin server (also called upstream server)"-- -does it ring a bell?