Getting Data In

Why am I not getting data from the Splunk App for Stream using a universal forwarder with my current configuration?

dailv1808
Path Finder

My problem like this https://answers.splunk.com/answers/209017/why-am-i-not-getting-data-from-the-splunk-app-for.html, but i can not find out solve in this post. Can anyone confirm exactly how the stream config is supposed to be setup on a universal forwarder and how the indexer is configured for each streamfwd source?
Splunk is version 6.4.2 with app for stream 6.5.1
The forwarder I'm testing with is version 6.4.2

0 Karma
1 Solution

sjaworski
Communicator

On Windows, Start Task Manager, Select Processes and make sure the Universal Forwarder splunkd.exe and Stream streamfwd.exe is running as System. If it's running as system you should be good.

Make sure the Splunk Stream app is install on your search head, unless your indexer is also your search head. This is where you will configure Splunk Stream on what to collect. The stream app on the UF will receive it's configuration from the search head.

Run the btool command form the Splunk bin directory, splunk btool inputs list streamfwd

alt text

By default Splunk stream logs to the main index. Maybe search index=main It's possible you search is not searching the main index by default.

View solution in original post

sjaworski
Communicator

On Windows, Start Task Manager, Select Processes and make sure the Universal Forwarder splunkd.exe and Stream streamfwd.exe is running as System. If it's running as system you should be good.

Make sure the Splunk Stream app is install on your search head, unless your indexer is also your search head. This is where you will configure Splunk Stream on what to collect. The stream app on the UF will receive it's configuration from the search head.

Run the btool command form the Splunk bin directory, splunk btool inputs list streamfwd

alt text

By default Splunk stream logs to the main index. Maybe search index=main It's possible you search is not searching the main index by default.

dailv1808
Path Finder

Hi you.
Thank you for your reply.
On Processes tab, it just have splunkd.exe, not streamfwd.exe.
when i run splunk btool inputs list streamfwd command
Capture49d75.png

Capture49d75.png
So how to config to Splunk server get stream data from windows?

0 Karma

sjaworski
Communicator

Have you restarted the UF since installing the Stream TA in /etc/apps?

0 Karma

dailv1808
Path Finder

I both run streamfwd.exe in C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stram\windows_x86_64\bin and Splunk.exe inC:\Program Files\SplunkUniversalForwarder\bin but no difference at all

0 Karma

sjaworski
Communicator

You do no need to start the streamfwd.exe by itself. Splunk will automatically start it when UF restarts.

Execute C:\Program Files\SplunkUniversalForwarder\bin\ splunk restart

If that does not work, on your Splunk search head start reviewing the splunkd.log of the windows 7 host. Search index=_internal host=win-orba5mjh4bm stream start reviewing the log. It may give an indication of what is going on.

Or you can grep (find on Windows) find /I "stream" splunkd.loglocally on the win 7 host in c:/program files/splunkuniversalforwarder/var/log/splunk/

Also, check out the streamfwd.log.

0 Karma

dailv1808
Path Finder

I spent 2 days for this problem and now it solved.
I restarted splunk with this command C:\Program Files\SplunkUniversalForwarder\bin\splunk restart
and then splunk_server received stream data from window. And now i wonder why it cann't get data when i double click on splunk.exe in C:\Program Files\SplunkUniversalForwarder\bin.
Thank you so muchhhhhhhhh!

0 Karma

diogofgm
SplunkTrust
SplunkTrust

are you running the forwarder plunked with root?
did you use the script to give permissions on the stream TA?
Go to $SPLUNK_HOME/etc/apps/Splunk_TA_stream.
Issue the command sudo ./set_permissions.sh

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

dailv1808
Path Finder

more detail:
step 1: I installed SPlunk_App_For_Stream on Splunk server.
Step 2: Install Forwarder on Win7 machine, use administrator account
Step 3: copy Splunk_TA_stream folder from C:\Program Files\Splunk\etc\deployment-apps on Splunk server to C:\Program Files\SplunkUniversalForwarder\etc\apps folder on win7 machine.
Step 4: Splunk_TA_stream inputs.conf on the forwarder has been configured as follows:
*[streamfwd://streamfwd]
splunk_stream_app_location = http://INDEXER_FQDN:8000/en-us/custom/splunk_app_stream/
disabled = 0
*
Where INDEXER_FQDN is the full domain name of the splunk server.

Splunk server just received application log, system log, CPU, Ram log.... from win7 machine. However none of the stream data from the forwarder is showing up in the Splunk Server.
i was search host="WIN-ORBA5MJH4BM" source=stream* but no have results found
WIN-ORBA5MJH4BM is the domain name of the win7 machine
Can you confirm exactly how the stream config?

0 Karma

dailv1808
Path Finder

i have installed fowarder on win7. So how to running the forwarder with root?

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...