Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Troubleshooting

Wire Data modular input stops working after upgrade

After manually deleting the application folders without stopping Splunk and then installing or upgrading the app, the Wire Data input stops working. Some of the symptoms are as follows:

1. Wire Data configuration (Splunk App for Stream Location) not present.

2. Wire Data is not present in the data input.

3. Splunk stream forwarder interface does not increment counters.

4. Wire Data configuration is present, but enabling streamfwd from UI has no effect.

For symptoms 1, 2, and 3, a restart of Splunk might fix the issue.

cd $SPLUNK_HOME/bin
./splunk restart

Otherwise, follow this workaround:

1. From CLI, stop Splunk.

cd $SPLUNK_HOME/bin
./splunk stop

2. Go to $SPLUNK_HOME/etc/apps.

3. Delete splunk_app_stream and Splunk_TA_Stream folders.

4. Start Splunk.

cd $SPLUNK_HOME/bin
./splunk start

5. Go to Splunk Web and install (or reinstall) the Splunk App for Stream application. See Install Splunk App for Stream.

6. Restart Splunk from the UI.

7. Go to Settings > Data inputs.

The Wire Data option should now appear in the UI.

7. Click Enable.

You should now see wire data indexing into Splunk. Follow these same steps for symptom 4 as well.

Note: If you need to delete splunk_app_stream and Splunk_TA_Stream folders, you should stop Splunk first and then delete the folders. If you do not stop Splunk, then you will encounter the above issues.

How to create a PCAP file

If you encounter an issue with your Splunk App for Stream deployment, the Stream support team might ask you to provide a PCAP file for debugging purposes.

To create a PCAP file in Linux:

tcpdump –i eth0 –s 0 –w filename.pcap

For example, to capture Oracle TNS traffic only on port 1521:

tcpdump –i eth0 –s 0 –w file.pcap tcp port 1521

Note: To see a list of NIC names on your server, enter tcpdump –D.

To create a PCAP in Windows:

You can create a PCAP in Windows using a utility such as Wireshark.

For instructions on creating a PCAP file in Wireshark, see Saving captured packets.

Last modified on 19 March, 2015
PREVIOUS
FAQ
 

This documentation applies to the following versions of Splunk Stream: 6.2.0, 6.2.1, 6.2.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters