All Apps and Add-ons

Splunk Add-on for Apache Web Server not working

ammul440
New Member

Hello all,

I have installed app "Splunk Add-on for Apache Web Server" from splunk web. Unfotrunately when i try to create Data input i am unable to select the source type for ex: apache:access and when i try to launch app it says page not found. please help. I also tried to download the addon and uploaded the tar file to update add-on, but it doesnot work. please suggest

Tags (1)
0 Karma

ammul440
New Member

The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 10 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. Learn more.

can anyone help me with this error. I am unable to forward the logs to splunk server

0 Karma

jbrocks
Communicator

Referring to your outputs.conf: Add forwardedindex.0.whitelist = .* to your outputs.conf [tcpout:default-autolb-group] stanza and restart the Forwarder. You just telling Splunk to forward, but not what to forward. By this setting Splunk forwards everything. If there is still nothing coming it it could also be a firewall problem.

0 Karma

ammul440
New Member

Hi, I have added as above and unfortunately i could still see "its waiting for data" and I got this warning message from the GUI.

"The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 10 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data."

0 Karma

jbrocks
Communicator

Do you also have an inputs.conf on your indexer with

[splunktcp://9997]
disabled = 0

?
What does the splunkd.log say of indexer and forwarder?
What is the output of:
on indexer

tail -n100 /opt/splunk/var/log/splunk/splunkd.log | grep ERROR

or on the Forwarder
tail -n100 /opt/splunkforwarder/var/log/splunk/splunkd.log | grep ERROR

0 Karma

ammul440
New Member

Hi yes, I have an indexer as mentioned above

tail -n30 /opt/splunk/var/log/splunk/splunkd.log | grep ERROR
02-25-2019 16:13:45.647 +0100 ERROR TcpOutputFd - Invalid payload_size=1397966893 received while in parseState=1
02-25-2019 16:13:45.647 +0100 ERROR TcpOutputFd - Invalid payload_size=1213486160 received while in parseState=1

tail -n30 /opt/splunkforwarder/var/log/splunk/splunkd.log | grep ERROR
02-25-2019 16:08:12.463 +0100 ERROR TcpOutputFd - Read error. Connection reset by peer
02-25-2019 16:08:12.464 +0100 ERROR TcpOutputFd - Connection to host=192.4.81.11:9997 failed
02-25-2019 16:08:12.464 +0100 ERROR TcpOutputFd - Connection to host=192.4.81.11:9997 failed

0 Karma

ammul440
New Member

Hi,

Yes I am finding in sourcetype, unfortunately I am unable to see the host as it always shows in search " waiting for data". I have configured Universal forwader on host.

0 Karma

andhika_pratama
Explorer

you should know the difference of TA and Apps.
-App is used for UI template and sometime contains TA inside. It can be visible or invisible
-TA is used to help the data parsing in indexing level or visualization level. It's invisible only, because mostly placed in forwarders and indexers

0 Karma

ammul440
New Member

Hi, Yes I have configured the Universl forwarder on the host with outputs and inputs.conf as below and restarted the splunk, but still I could not find the host on the data ysummary tab. Any suggestions would be helpful. Thanks.

cat outputs.conf
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.4.81.11:9997

inputs.conf

[monitor:///var/log/apache2/access.log]
sourcetype=apache:access
disabled = 0

0 Karma

jbrocks
Communicator

How do you try to launch the app? Splunk Add-on for Apache Web Server is a TA, so it does not have a GUI App interface. But sourcetypes should be available in the sourcetype overview or when you try to add an input.
[ui]
is_visible = false

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...