All Apps and Add-ons

7.1 Streamfwd fails to configure service on ubuntu

tbaublys_splunk
Splunk Employee
Splunk Employee

I installed standalone streamfwd on ubuntu with "curl -..." script provided, installation ends with following message:

... Do you want to start Splunk Stream Forwarder 7.1.0 service (streamfwd) (yes/no)? [yes]yes Starting streamfwd service.. Job for streamfwd.service failed because the control process exited with error code. See "systemctl status streamfwd.service" and "journalctl -xe" for details. Splunk Stream Forwarder 7.1.0 installation complete.

  • streamfwd process is running, but the script /etc/init.d/streamfwd is not properly working and not controlling the daemon:

root@ugurke2:/opt# systemctl status streamfwd.service
streamfwd.service - LSB: Starts the Splunk Stream Forwarder 7.1.0 daemon
Loaded: loaded (/etc/init.d/streamfwd; bad; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2017-05-04 09:32:16 CEST; 7s ago
Docs: man:systemd-sysv-generator(8)
Process: 3210 ExecStart=/etc/init.d/streamfwd start (code=exited, status=1/FAILURE)
CGroup: /system.slice/streamfwd.service
└─3027 /opt/streamfwd/bin/streamfwd

Tags (1)
0 Karma

mattlucas719
Explorer

root@matt-Latitude-E6420:/etc/systemd/system# cat streamfwd.service
[Unit]
Description= Splunk Stream Dedicated Service
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/opt/streamfwd/bin/streamfwd -D

[Install]
WantedBy=multi-user.target
Alias=splunkstream.service
root@matt-Latitude-E6420:/etc/systemd/system# cat splunkstream.service
[Unit]
Description= Splunk Stream Dedicated Service
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/opt/streamfwd/bin/streamfwd -D

[Install]
WantedBy=multi-user.target
Alias=splunkstream.service

then you can run:

Enable the new service “systemctl enable streamfwd”

ubuntu 18 tested and works

0 Karma

banaie
Path Finder

Unfortunately, it didn't work on streamfwd version 7.2 and ubuntu 18.04!

Dec 31 13:25:31 splunk-stream-forwarder systemd[1]: Started Splunk Stream Dedicated Service.
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: 13:25:31.317 INFO  stream.CaptureServer - Launch child process for restoring interfaces
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: 13:25:31.334 INFO  stream.CaptureServer - Found DataDirectory: /opt/streamfwd/data
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: 13:25:31.334 INFO  stream.CaptureServer - Found UIDirectory: /opt/streamfwd/ui
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: 13:25:31.337 ERROR stream.NetworkCapture - Error: basic_string::_S_construct null not valid
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: 13:25:31.339 FATAL stream.main - Failed to start streamfwd, the process will be terminated: DPDK failed to init
ialize
Dec 31 13:25:31 splunk-stream-forwarder systemd[1]: streamfwd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]: terminate called after throwing an instance of 'std::bad_alloc'
Dec 31 13:25:31 splunk-stream-forwarder streamfwd[3172]:   what():  std::bad_alloc
Dec 31 13:25:31 splunk-stream-forwarder systemd[1]: streamfwd.service: Failed with result 'exit-code'.
0 Karma

mattymo
Splunk Employee
Splunk Employee

big shout to Ryan Faircloth for the working unit file to get stream working on ubuntu 16.04 for me in aws

https://www.rfaircloth.com/2017/02/11/unbelievably-simple-ipfixnetjsflow-collection/

Kill stream if its running “killall -9 streamfwd”
Remove the init script
“update-rc.d -f streamfwd remove”
rm /etc/init.d/streamfwd
Create a new service unit file for systemd /etc/systemd/system/streamfwd.service

[Unit]
Description= Splunk Stream Dedicated Service
After=syslog.target network.target
[Service]
Type=simple
ExecStart=/opt/streamfwd/bin/streamfwd -D


Enable the new service “systemctl enable streamfwd”
- MattyMo

ChrisYang
Explorer

I believe you were deploying it on the latest ubuntu v16 or v17.
I had the same problem yesterday. Later I found the independent streamfwd service couldn't be restarted. Then, I replaced the OS by ubuntu 14.04, all good.

Ubuntu adopted systemd from v15. That's the reason. ,I was deploying the independent streamfwd on ubuntu 16 and had the same issue above.
Finally, I got it sorted by replacing the OS by ubuntu 14.

Ubuntu started to adopt systemd from v15. So, the streamfwd service cannot be started in this environment. When I change it to ubuntu 14, all good.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...