All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Add-on for Apache Web Server not working

ammul440
New Member
‎02-15-2019 07:01 AM

Hello all,

I have installed app "Splunk Add-on for Apache Web Server" from splunk web. Unfotrunately when i try to create Data input i am unable to select the source type for ex: apache:access and when i try to launch app it says page not found. please help. I also tried to download the addon and uploaded the tar file to update add-on, but it doesnot work. please suggest

Tags (1)
0 Karma
Reply

ammul440
New Member
‎03-08-2019 01:58 AM

The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 10 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data. Learn more.

can anyone help me with this error. I am unable to forward the logs to splunk server

0 Karma
Reply

jbrocks
Communicator
‎02-25-2019 03:52 AM

Referring to your outputs.conf: Add forwardedindex.0.whitelist = .* to your outputs.conf [tcpout:default-autolb-group] stanza and restart the Forwarder. You just telling Splunk to forward, but not what to forward. By this setting Splunk forwards everything. If there is still nothing coming it it could also be a firewall problem.

0 Karma
Reply

ammul440
New Member
‎02-25-2019 04:35 AM

Hi, I have added as above and unfortunately i could still see "its waiting for data" and I got this warning message from the GUI.

"The TCP output processor has paused the data flow. Forwarding to output group default-autolb-group has been blocked for 10 seconds. This will probably stall the data flow towards indexing and other network outputs. Review the receiving system's health in the Splunk Monitoring Console. It is probably not accepting data."

0 Karma
Reply

jbrocks
Communicator
‎02-25-2019 04:42 AM

Do you also have an inputs.conf on your indexer with 

[splunktcp://9997]
disabled = 0

?
What does the splunkd.log say of indexer and forwarder?
What is the output of:
on indexer 

tail -n100 /opt/splunk/var/log/splunk/splunkd.log | grep ERROR

or on the Forwarder
tail -n100 /opt/splunkforwarder/var/log/splunk/splunkd.log | grep ERROR

0 Karma
Reply

ammul440
New Member
‎02-25-2019 07:19 AM

Hi yes, I have an indexer as mentioned above

tail -n30 /opt/splunk/var/log/splunk/splunkd.log | grep ERROR
02-25-2019 16:13:45.647 +0100 ERROR TcpOutputFd - Invalid payload_size=1397966893 received while in parseState=1
02-25-2019 16:13:45.647 +0100 ERROR TcpOutputFd - Invalid payload_size=1213486160 received while in parseState=1

tail -n30 /opt/splunkforwarder/var/log/splunk/splunkd.log | grep ERROR
02-25-2019 16:08:12.463 +0100 ERROR TcpOutputFd - Read error. Connection reset by peer
02-25-2019 16:08:12.464 +0100 ERROR TcpOutputFd - Connection to host=192.4.81.11:9997 failed
02-25-2019 16:08:12.464 +0100 ERROR TcpOutputFd - Connection to host=192.4.81.11:9997 failed

0 Karma
Reply

ammul440
New Member
‎02-25-2019 03:10 AM

Hi,

Yes I am finding in sourcetype, unfortunately I am unable to see the host as it always shows in search " waiting for data". I have configured Universal forwader on host.

0 Karma
Reply

andhika_pratama
Explorer
‎02-22-2019 02:30 AM

you should know the difference of TA and Apps.
-App is used for UI template and sometime contains TA inside. It can be visible or invisible
-TA is used to help the data parsing in indexing level or visualization level. It's invisible only, because mostly placed in forwarders and indexers

0 Karma
Reply

ammul440
New Member
‎02-25-2019 03:45 AM

Hi, Yes I have configured the Universl forwarder on the host with outputs and inputs.conf as below and restarted the splunk, but still I could not find the host on the data ysummary tab. Any suggestions would be helpful. Thanks.

cat outputs.conf
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 192.4.81.11:9997

inputs.conf

[monitor:///var/log/apache2/access.log]
sourcetype=apache:access
disabled = 0

0 Karma
Reply

jbrocks
Communicator
‎02-20-2019 08:42 AM

How do you try to launch the app? Splunk Add-on for Apache Web Server is a TA, so it does not have a GUI App interface. But sourcetypes should be available in the sourcetype overview or when you try to add an input.
[ui]
is_visible = false

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top