Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

deploying stream forwarder to universal forwarders does not work

sh_tavousi
Explorer
‎03-07-2021 04:47 AM

Hi, 

I'm having issue to deploy stream forwarder to UFs by Deployment Server. I have installed stream TA in deployment app but it doesn't work and I can't see forwarders in stream forwarder. In inputs.conf I set splunk_stream_app_location with address of my stream app and also I have stream logs from my stream APP but it doesn't work on UFs.

Can anybody help me with this problem?

Thanks.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

tscroggins
Champion
‎03-07-2021 05:59 AM

@sh_tavousi 

You're likely missing step 7 under https://docs.splunk.com/Documentation/StreamApp/7.3.0/DeployStreamApp/InstallStreamForwarder#Use_the.... This section doesn't actually describe using a deployment server, but it does at least cover the installation steps necessary.

7. Set Splunk_TA_stream permissions: On Linux and OSX, run the set_permissions.sh script in the Splunk_TA_stream directory.

cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
sudo chmod +x ./set_permissions.sh
sudo ./set_permissions.sh

The deployment server can't perform this step without additional help in the form of sudo rules, wrapper scripts, run once inputs, or the use of a separate deployment tools.

0 Karma
Reply

sh_tavousi
Explorer
‎03-07-2021 10:32 PM

Hi,

I have installed stream TA on windows.

What should I do?

Thanks.

0 Karma
Reply

Vardhan
Contributor
‎03-13-2021 11:45 AM

Hi,

Install the Splunk_TA_stream in the UF and splunk_app_stream&Splunk_TA_stream in the HF. Go to the Splunk_TA_stream in the UF and config the inputs.conf as mentioned below

[streamfwd://streamfwd]

splunk_stream_app_location = https://HF_IP:8000/en-us/custom/splunk_app_stream/

disabled = 0

index = dns

And go to the Stream App in the HF and do the necessary config as mentioned in the below blog.

https://www.splunk.com/en_us/blog/tips-and-tricks/installing-and-managing-splunk-stream-in-a-distrib...

0 Karma
Reply

tscroggins
Champion
‎03-13-2021 11:20 AM

@sh_tavousi 

Did you read and follow https://wiki.wireshark.org/CaptureSetup/CapturePrivileges? Do other WinPcap clients, e.g. Wireshark, work correctly?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...