Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Troubleshooting

Wire Data modular input stops working after upgrade

After manually deleting the application folders without stopping Splunk and installing or upgrading the app, the Wire Data modular input stops working. Some of the symptoms are as follows:

  1. The Wire Data modular input configuration (splunk_app_stream location) is not present.
  2. Wire data is not present in the data input.
  3. The Wire Data configuration is present, but enabling streamfwd in the UI has no effect.


For symptoms 1 and 2 above, a restart of Splunk might fix the issue. Otherwise, follow this workaround:

  1. Stop Splunk.
    cd $SPLUNK_HOME/bin
    ./splunk stop
    
  2. In $SPLUNK_HOME/etc/apps, delete splunk_app_stream and Splunk_TA_Stream folders.
  3. Start Splunk.
    cd $SPLUNK_HOME/bin
    ./splunk start
    
  4. In Splunk Web, reinstall Splunk Stream. See Install Splunk Stream.
  5. Restart Splunk from the UI.
  6. Open Settings > Data inputs.
    The Wire Data modular input now appears in the UI.
  7. Click Enable.

Stop Splunk before deleting either splunk_app_stream or Splunk_TA_Stream directories.

Wire Data modular input fails to start on Linux

  1. Check splunkd.log for the following error message:
    Unable to initialize modular input "streamfwd" defined inside the app "Splunk_TA_stream": 
    Introspecting scheme=streamfwd: script running failed (killed by signal 6: Aborted)
    
  2. Check if running the Splunk_TA_stream/linux_x86_64/bin/streamfwd --version command from the CLI results in the following output:
    /opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd --version
    terminate called after throwing an instance of 'std::runtime_error'
      what():  locale::facet::_S_create_c_locale name not valid
    Aborted (core dumped)
    
  3. Use this workaround: Set the LC_ALL locale to either "en_US.UTF-8" or "C.UTF-8":
    export LC_ALL="en_US.UTF-8"
    

How to create a PCAP file

If you encounter an issue with your Splunk Stream deployment, the Stream support team might ask you to provide a PCAP file for debugging purposes.

Create a PCAP in Linux

We recommend using tcpdump to create a PCAP in Linux. tcpdump captures the first 96 bytes of data from a packet by default. To capture more data, use the -s<number> option to set the snaplen (snapshot length), where <number> is the number of bytes you want to capture. Use -s0 to run tcpdump with unlimited snaplen.

tcpdump –i eth0 –s0 –w filename.pcap

For example, to capture Oracle TNS traffic only on port 1521:

tcpdump –i eth0 –s0 –w file.pcap tcp port 1521

Note: To see a list of NIC names on your server, enter tcpdump –D.

Create a PCAP in Windows

You can create a PCAP in Windows using a utility such as Wireshark.

For instructions on creating a PCAP file in Wireshark, see Saving captured packets.

Last modified on 08 March, 2017
FAQ  

This documentation applies to the following versions of Splunk Stream: 7.1.0, 7.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters