Troubleshooting
Wire Data modular input stops working after upgrade
After manually deleting the application folders without stopping Splunk and installing or upgrading the app, the Wire Data modular input stops working. Some of the symptoms are as follows:
- The Wire Data modular input configuration (
splunk_app_stream
location) is not present. - Wire data is not present in the data input.
- The Wire Data configuration is present, but enabling
streamfwd
in the UI has no effect.
For symptoms 1 and 2 above, a restart of Splunk might fix the issue. Otherwise, follow this workaround:
- Stop Splunk.
cd $SPLUNK_HOME/bin ./splunk stop
- In
$SPLUNK_HOME/etc/apps
, deletesplunk_app_stream
andSplunk_TA_Stream
folders. - Start Splunk.
cd $SPLUNK_HOME/bin ./splunk start
- In Splunk Web, reinstall Splunk Stream. See Install Splunk Stream.
- Restart Splunk from the UI.
- Open Settings > Data inputs.
The Wire Data modular input now appears in the UI. - Click Enable.
Stop Splunk before deleting either splunk_app_stream or Splunk_TA_Stream directories.
Wire Data modular input fails to start on Linux
- Check splunkd.log for the following error message:
Unable to initialize modular input "streamfwd" defined inside the app "Splunk_TA_stream": Introspecting scheme=streamfwd: script running failed (killed by signal 6: Aborted)
- Check if running the
Splunk_TA_stream/linux_x86_64/bin/streamfwd --version
command from the CLI results in the following output:/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd --version terminate called after throwing an instance of 'std::runtime_error' what(): locale::facet::_S_create_c_locale name not valid Aborted (core dumped)
- Use this workaround: Set the LC_ALL locale to either "en_US.UTF-8" or "C.UTF-8":
export LC_ALL="en_US.UTF-8"
How to create a PCAP file
If you encounter an issue with your Splunk Stream deployment, the Stream support team might ask you to provide a PCAP file for debugging purposes.
Create a PCAP in Linux
We recommend using tcpdump
to create a PCAP in Linux. tcpdump
captures the first 96 bytes of data from a packet by default. To capture more data, use the -s<number>
option to set the snaplen (snapshot length), where <number>
is the number of bytes you want to capture. Use -s0
to run tcpdump
with unlimited snaplen.
tcpdump –i eth0 –s0 –w filename.pcap
For example, to capture Oracle TNS traffic only on port 1521:
tcpdump –i eth0 –s0 –w file.pcap tcp port 1521
Note: To see a list of NIC names on your server, enter tcpdump –D
.
Create a PCAP in Windows
You can create a PCAP in Windows using a utility such as Wireshark.
For instructions on creating a PCAP file in Wireshark, see Saving captured packets.
FAQ |
This documentation applies to the following versions of Splunk Stream™: 7.1.0, 7.1.1
Feedback submitted, thanks!