Archive
Highlighted

Re: What is correct way to set-up Stream Forwarders with an Index Cluster?

Splunk Employee
Splunk Employee

You can add index = your_index to the inputs.conf stanza to overwrite the default index for Stream Forwarder events. The index field in the Stream configuration UI (on the search head) overrides the default or inputs.conf value on a per-stream base.

0 Karma
Highlighted

Re: What is correct way to set-up Stream Forwarders with an Index Cluster?

Splunk Employee
Splunk Employee

BTW, were you able to resolve the FATAL error problem in streamfwd.log? Not sure what the actual issue is since the error message you posted seems to be truncated.. If it's still an issue, please post the full error message to give us a better idea of what's going on.

0 Karma
Highlighted

Re: What is correct way to set-up Stream Forwarders with an Index Cluster?

Path Finder

did this ever get solved?

I have the same error message running Stream 7.1 on a Centos7 (rhel) box.

The truncation of the logs (forum formatting) should look something like this:

2018-05-13 08:28:38 FATAL [140300864640896] (main.cpp:1150) stream.main - Failed to start streamfwd, the process will be terminated: No <stanza> found in <configuration>
0 Karma