Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration?

dailv1808
Path Finder
‎07-15-2016 12:53 AM

My problem like this https://answers.splunk.com/answers/209017/why-am-i-not-getting-data-from-the-splunk-app-for.html, but i can not find out solve in this post. Can anyone confirm exactly how the stream config is supposed to be setup on a universal forwarder and how the indexer is configured for each streamfwd source?
Splunk is version 6.4.2 with app for stream 6.5.1
The forwarder I'm testing with is version 6.4.2

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sjaworski
Communicator
‎07-16-2016 08:25 AM

On Windows, Start Task Manager, Select Processes and make sure the Universal Forwarder splunkd.exe and Stream streamfwd.exe is running as System. If it's running as system you should be good.

Make sure the Splunk Stream app is install on your search head, unless your indexer is also your search head. This is where you will configure Splunk Stream on what to collect. The stream app on the UF will receive it's configuration from the search head.

Run the btool command form the Splunk bin directory, splunk btool inputs list streamfwd

alt text

By default Splunk stream logs to the main index. Maybe search index=main It's possible you search is not searching the main index by default.

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

sjaworski
Communicator
‎07-16-2016 08:25 AM

On Windows, Start Task Manager, Select Processes and make sure the Universal Forwarder splunkd.exe and Stream streamfwd.exe is running as System. If it's running as system you should be good.

Make sure the Splunk Stream app is install on your search head, unless your indexer is also your search head. This is where you will configure Splunk Stream on what to collect. The stream app on the UF will receive it's configuration from the search head.

Run the btool command form the Splunk bin directory, splunk btool inputs list streamfwd

alt text

By default Splunk stream logs to the main index. Maybe search index=main It's possible you search is not searching the main index by default.

Preview file
1 KB
Reply
Solved! Jump to solution

dailv1808
Path Finder
‎07-16-2016 08:47 AM

Hi you.
Thank you for your reply.
On Processes tab, it just have splunkd.exe, not streamfwd.exe.
when i run splunk btool inputs list streamfwd command
Capture49d75.png

Capture49d75.png
So how to config to Splunk server get stream data from windows?

0 Karma
Reply
Solved! Jump to solution

sjaworski
Communicator
‎07-16-2016 09:09 AM

Have you restarted the UF since installing the Stream TA in /etc/apps?

0 Karma
Reply
Solved! Jump to solution

dailv1808
Path Finder
‎07-16-2016 09:24 AM

I both run streamfwd.exe in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stram\windows_x86_64\bin and Splunk.exe inC:\Program Files\SplunkUniversalForwarder\bin but no difference at all

0 Karma
Reply
Solved! Jump to solution

sjaworski
Communicator
‎07-16-2016 09:39 AM

You do no need to start the streamfwd.exe by itself. Splunk will automatically start it when UF restarts.

Execute C:\Program Files\SplunkUniversalForwarder\bin\ splunk restart

If that does not work, on your Splunk search head start reviewing the splunkd.log of the windows 7 host. Search index=_internal host=win-orba5mjh4bm stream start reviewing the log. It may give an indication of what is going on.

Or you can grep (find on Windows) find /I "stream" splunkd.loglocally on the win 7 host in c:/program files/splunkuniversalforwarder/var/log/splunk/

Also, check out the streamfwd.log.

0 Karma
Reply
Solved! Jump to solution

dailv1808
Path Finder
‎07-16-2016 10:21 AM

I spent 2 days for this problem and now it solved.
I restarted splunk with this command C:\Program Files\SplunkUniversalForwarder\bin\splunk restart
and then splunk_server received stream data from window. And now i wonder why it cann't get data when i double click on splunk.exe in C:\Program Files\SplunkUniversalForwarder\bin.
Thank you so muchhhhhhhhh!

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎07-15-2016 08:53 AM

are you running the forwarder plunked with root?
did you use the script to give permissions on the stream TA?
Go to $SPLUNK_HOME/etc/apps/Splunk_TA_stream.
Issue the command sudo ./set_permissions.sh

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

dailv1808
Path Finder
‎07-15-2016 09:28 PM

more detail:
step 1: I installed SPlunk_App_For_Stream on Splunk server.
Step 2: Install Forwarder on Win7 machine, use administrator account
Step 3: copy Splunk_TA_stream folder from C:\Program Files\Splunk\etc\deployment-apps on Splunk server to C:\Program Files\SplunkUniversalForwarder\etc\apps folder on win7 machine.
Step 4: Splunk_TA_stream inputs.conf on the forwarder has been configured as follows:
*[streamfwd://streamfwd]
splunk_stream_app_location = http://INDEXER_FQDN:8000/en-us/custom/splunk_app_stream/
disabled = 0*
Where INDEXER_FQDN is the full domain name of the splunk server.

Splunk server just received application log, system log, CPU, Ram log.... from win7 machine. However none of the stream data from the forwarder is showing up in the Splunk Server.
i was search host="WIN-ORBA5MJH4BM" source=stream* but no have results found
WIN-ORBA5MJH4BM is the domain name of the win7 machine
Can you confirm exactly how the stream config?

0 Karma
Reply
Solved! Jump to solution

dailv1808
Path Finder
‎07-15-2016 07:34 PM

i have installed fowarder on win7. So how to running the forwarder with root?

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...