Splunk_TA_stream and Wire Data mod input not appearing after install
After installing Splunk App for Stream on Linux, with
splunkd running as root, the
Splunk_TA_stream directory does not appear in
$SPLUNK_HOME/etc/apps, and the Wire Data modular input is not listed under Settings > Data Input.
1. Manually copy the
Splunk_TA_stream directory located in
cd $SPLUNK_HOME/etc/apps cp -r splunk_app_stream/install/Splunk_TA_stream
2. Manually re-create the .modinput on the stream forwarder:
cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream touch darwin_x86_64/bin/.modinput linux_x86/bin/.modinput linux_x86_64/bin/.modinput
3. Restart Splunk Enterprise:
Note: When you manually copy the Splunk_TA_stream directory, you must also setup a new Wire Data input using the Splunk UI:
1. Go to Settings > Data Inputs.
2. Click Wire Data.
3. Click New
4. For name, enter "streamfwd."
5. For Splunk App for Stream Location, enter "http://localhost:8000/en-us/custom/splunk_app_stream/."
5. Locate the "streamfwd" data input in the list, and click Enable.
The Wire Data (Stream Forwarder) data input is now enabled and begins to send event data to Splunk.
This documentation applies to the following versions of Splunk Stream™: 6.0, 6.0.1