I encountered the same error ( Encountered the following error while trying to save: In handler 'streamfwd': The script returned with exit status 2.) when trying to edit the modular input streamfwd (more settings) to set it to another index.
splunkd showed this:
08-18-2015 23:57:46.463 -0700 ERROR ModularInputs - Argument validation for scheme=streamfwd: killing process, because executing it took too long (over 30000 msecs).
08-18-2015 23:57:46.465 -0700 INFO ModularInputs - Argument validation for scheme=streamfwd: script running failed (killed by signal 9: Killed: 9).
I initially untarred the splunk_app_stream.tar file and copied it into etc/apps/ and restarted splunk for the first install which led me to the error.
To fix the issue I removed the Splunk_TA_stream and the splunk_app_stream , restarted splunk then installed from the web UI under Apps>Find More Apps . I then enabled the modular input through the web UI (Settings>Data Inputs> Wire Data > streamfwd - enable.
To see http data I went to the Splunk App for Stream from the app menu and enabled the http protocol. Then did a search for index=* source=stream* and see data now.
My system was a standalone server so fwdr/SH/IDX all in one.
... View more