Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Stream /captureipaddresses endpoint returns 404, while /ping works – Setup cannot detect forwarder

snick
New Member
‎02-26-2026 05:24 PM

Environment:

 

Splunk Enterprise single instance on Windows

Splunk App for Stream (v8.1.5) and Splunk Add-on for Stream Forwarders installed and enabled

No distributed deployment, all components on same machine

Symptoms:

 

Accessing localhost:8000/en-us/custom/splunk_app_stream/captureipaddresses returns a 404 error.

However, localhost:8000/en-us/custom/splunk_app_stream/ping returns a valid JSON response, confirming the app's REST API is partially functional.

The Stream forwarder (streamfwd.exe) is running, but the Setup Stream page fails to detect the add-on status.

Logs (streamfwd.log) show repeated attempts to contact the endpoint with 404 responses.

What has been checked / tried:

 

App and add-on status: Both are enabled in Apps > Manage Apps.

Duplicate app conflict: Removed a backup folder splunk_app_stream_backup from $SPLUNK_HOME/etc/apps/ to avoid duplicate app ID warnings.

Configuration files verified:

restmap.conf (in default) contains the correct stanza for captureipaddresses:

text

 

[script:captureipaddress]match=/splunk_app_stream/captureipaddresses/?handler=rest_captureipaddresses.CaptureIpAddressespython.version=python3...

Python handler file rest_captureipaddresses.py exists in bin/ and imports without errors (tested with Splunk's Python).

The web.conf in the app's local folder was updated to expose script handlers:

text

 

[expose:custom]methods = GET, POST, DELETE, PUThandler = scriptpattern = /custom/.*

No local overrides for restmap.conf exist.

HTTP method tested: Both GET and POST requests to the endpoint return 404 (confirmed with curl).

Logs checked: No errors related to captureipaddresses in splunkd.log or python.log when the endpoint is accessed.

Permissions: File permissions on the handler and app folders are correct (Splunk service account has access).

KV Store: The app uses KV store; collections appear to exist (no errors in logs about missing collections).

What remains puzzling:

 

Since /ping works, the base routing is correct, but the specific handler for captureipaddresses is not being invoked.

The handler code (seen in rest_captureipaddresses.py) includes a handle_GET method, so it should respond to GET requests.

No errors are logged when the endpoint is hit, just a 404 response.

Request for help:

Has anyone encountered a similar issue where a specific REST endpoint of the Stream app returns 404 while others work? Are there any additional configuration files or dependencies (like KV store initialization) that could cause this? Could there be a subtle difference in the URL pattern or a missing authentication requirement? Any guidance would be greatly appreciated!

Labels (4)
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...