Splunk Dev

deploying stream forwarder to universal forwarders does not work

sh_tavousi
Explorer

Hi, 

I'm having issue to deploy stream forwarder to UFs by Deployment Server. I have installed stream TA in deployment app but it doesn't work and I can't see forwarders in stream forwarder. In inputs.conf I set splunk_stream_app_location with address of my stream app and also I have stream logs from my stream APP but it doesn't work on UFs.

Can anybody help me with this problem?

Thanks.

Labels (1)
Tags (1)
0 Karma

tscroggins
Influencer

@sh_tavousi 

You're likely missing step 7 under https://docs.splunk.com/Documentation/StreamApp/7.3.0/DeployStreamApp/InstallStreamForwarder#Use_the.... This section doesn't actually describe using a deployment server, but it does at least cover the installation steps necessary.

7. Set Splunk_TA_stream permissions: On Linux and OSX, run the set_permissions.sh script in the Splunk_TA_stream directory.

cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
sudo chmod +x ./set_permissions.sh
sudo ./set_permissions.sh

The deployment server can't perform this step without additional help in the form of sudo rules, wrapper scripts, run once inputs, or the use of a separate deployment tools.

0 Karma

sh_tavousi
Explorer

Hi,

I have installed stream TA on windows.

What should I do?

Thanks.

0 Karma

Vardhan
Contributor

Hi,

Install the Splunk_TA_stream in the UF and splunk_app_stream&Splunk_TA_stream in the HF. Go to the Splunk_TA_stream in the UF and config the inputs.conf as mentioned below

[streamfwd://streamfwd]

splunk_stream_app_location = https://HF_IP:8000/en-us/custom/splunk_app_stream/

disabled = 0

index = dns

And go to the Stream App in the HF and do the necessary config as mentioned in the below blog.

https://www.splunk.com/en_us/blog/tips-and-tricks/installing-and-managing-splunk-stream-in-a-distrib...

0 Karma

tscroggins
Influencer

@sh_tavousi 

Did you read and follow https://wiki.wireshark.org/CaptureSetup/CapturePrivileges? Do other WinPcap clients, e.g. Wireshark, work correctly?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...