Same issue:
- newest Splunk (6.3.3)
- newest stream (6.4.2)
- installed manually (from file)
- confirmed permissions
- wire input set properly (it was done for me automagically) and enabled
-- even did the trick of restarting it as described above
- enabled all the default streams
- did the kernel buffer resizing trick
- confirmed inputs.conf is correct (according to documentation)
- edited streamfwd.xml to use correct interface (according to documentation)
- confirmed interface is getting data with tcpdump
- restarted Splunk instance (a couple of times...)
- sacrificed a large chicken
No data shown in source="stream*" or in the UI.
Perhaps the streamfwd.log file doesn't exist any more in this version, or didn't get created...?
... View more