Troubleshooting
Splunk_TA_stream and Wire Data mod input not appearing after install
After installing Splunk App for Stream on Linux, with splunkd
running as root, the Splunk_TA_stream
directory does not appear in $SPLUNK_HOME/etc/apps
, and the Wire Data modular input is not listed under Settings > Data Input.
Workaround:
1. Manually copy the Splunk_TA_stream
directory located in splunk_app_stream/install
.
cd $SPLUNK_HOME/etc/apps cp -r splunk_app_stream/install/Splunk_TA_stream
2. Manually re-create the .modinput on the stream forwarder:
cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream touch darwin_x86_64/bin/.modinput linux_x86/bin/.modinput linux_x86_64/bin/.modinput
3. Restart Splunk Enterprise:
$SPLUNK_HOME/bin/splunk restart
Note: When you manually copy the Splunk_TA_stream directory, you must also setup a new Wire Data input using the Splunk UI:
1. Go to Settings > Data Inputs.
2. Click Wire Data.
3. Click New
4. For name, enter "streamfwd."
5. For Splunk App for Stream Location, enter "http://localhost:8000/en-us/custom/splunk_app_stream/."
5. Locate the "streamfwd" data input in the list, and click Enable.
The Wire Data (Stream Forwarder) data input is now enabled and begins to send event data to Splunk.
PREVIOUS FAQ |
This documentation applies to the following versions of Splunk Stream™: 6.0, 6.0.1
Feedback submitted, thanks!