Splunk Stream

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of StreamApp. Click here for the latest version.
Download topic as PDF

Troubleshooting

Splunk_TA_stream and Wire Data mod input not appearing after install

After installing Splunk App for Stream on Linux, with splunkd running as root, the Splunk_TA_stream directory does not appear in $SPLUNK_HOME/etc/apps, and the Wire Data modular input is not listed under Settings > Data Input.

Workaround:

1. Manually copy the Splunk_TA_stream directory located in splunk_app_stream/install.

cd $SPLUNK_HOME/etc/apps
cp -r splunk_app_stream/install/Splunk_TA_stream

2. Manually re-create the .modinput on the stream forwarder:

cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
touch darwin_x86_64/bin/.modinput linux_x86/bin/.modinput linux_x86_64/bin/.modinput

3. Restart Splunk Enterprise:

$SPLUNK_HOME/bin/splunk restart

Note: When you manually copy the Splunk_TA_stream directory, you must also setup a new Wire Data input using the Splunk UI:

1. Go to Settings > Data Inputs.

2. Click Wire Data.

3. Click New

4. For name, enter "streamfwd."

5. For Splunk App for Stream Location, enter "http://localhost:8000/en-us/custom/splunk_app_stream/."

5. Locate the "streamfwd" data input in the list, and click Enable.

The Wire Data (Stream Forwarder) data input is now enabled and begins to send event data to Splunk.

PREVIOUS
FAQ
 

This documentation applies to the following versions of Splunk Stream: 6.0, 6.0.1


Comments

Yes, thank you Jbrodsky. I have integrated your input into the troubleshooting doc.<br /><br />Best regards!

Sroback splunk
September 4, 2014

Jbrodsky, you are a super duper hero. Thank you.

Vly
September 4, 2014

Note that there's one more step you want to check here IF you have to go through this troubleshooting to get Stream installed properly. In order for the Stream forwarder to get its config, it needs to know that it is running as a modular input. The same failure scenario that causes the system to not put Splunk_TA_stream and the wire data input in the right place, also will not extract the ".modinput" file that belongs in the stream forwarder binary directory.<br /><br />On a linux system, simply touch a .modinput file to create it if it does not exist. On the stream forwarder, it needs to exist in the $SPLUNK_HOME/etc/apps/Splunk_TA_stream//bin directory, where is linux_x86, linux_x86_64, or darwin_x86_64.

Jbrodsky splunk
August 26, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters