All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to ping server message in streadfwd.log

goancea
Explorer
‎09-12-2014 12:42 PM

I am trying to use the Splunk for Stream setup (version="6.0.1) on a Universal forwarder.
CentOS 6.5, forwarder/Indexer Splunk release 6.0.2

After the splunk restart, I get the following. Then every 5 seconds I get the 'Unable to ping server' message in streamfwd.log

Found DataDirectory, Found UIDirectory, Loaded configuration file

2014-09-12 14:16:34 ERROR 140563220014848 stream.CaptureServer - Unable to ping server (Unable to establish connection to localhost: Connection refused): a116a931-dc21-49ad-a528-9532f9137826
streamfwd has started successfully (version 6.0.1 build 536)
stream.main - web interface listening on port 8889

Could I be setting the path incorrectly to localhost? I get another error of the same sort when I try and setup the add new

wire data input: (nsg03 is the forwarder server)
SplunkApp for Stream location (I am confused about this entry)

I use the example, except the host name entry for the forwarder
Upon 'Save'

Encountered the following error while trying to save: In handler 'streamfwd': Unable to ping server (Unable to establish connection to name of server: Connection refused): 4a7c6744-f1d1-4752-827b-6314172e7227
At present, I am not seeing how to resolve this error. Anyone else have this issue, and what was your solution?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

csharp_splunk
Splunk Employee
Splunk Employee
‎09-14-2014 12:22 PM

On a Forwarder, you need to set in inputs.conf:

[streamfwd://streamfwd]
splunk_stream_app_location = http://<stream_search_head:port>/en-us/custom/splunk_app_stream/
disabled = 0

Can you pastebin or reply with your inputs.conf on your Forwarder?

View solution in original post

Reply
Solved! Jump to solution

goancea
Explorer
‎09-15-2014 10:25 AM

I followed your suggestion, and used the :8000 and it worked.

I was confused with the examples showing localhost, so I used that and then the forwarder server name.
Of course, that didn't work.

Thanks for the guidance.

0 Karma
Reply
Solved! Jump to solution
Solution

csharp_splunk
Splunk Employee
Splunk Employee
‎09-14-2014 12:22 PM

On a Forwarder, you need to set in inputs.conf:

[streamfwd://streamfwd]
splunk_stream_app_location = http://<stream_search_head:port>/en-us/custom/splunk_app_stream/
disabled = 0

Can you pastebin or reply with your inputs.conf on your Forwarder?

Reply
Solved! Jump to solution

goancea
Explorer
‎09-15-2014 10:26 AM

part of my comment cut off, used the indexer name and port 8000.
That did the trick.

0 Karma
Reply
Solved! Jump to solution

tred23
Path Finder
‎09-14-2017 02:09 AM

It worked once I added the indexer name and port 8000 just like goancea did.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...