- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Why are no results displaying in Cisco eStream...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why are no results displaying in Cisco eStreamer for Splunk app, but logs are appearing in $SPLUNK_HOME/etc/apps/eStreamer/log?
I have configured the Cisco eStreamer app, and confirmed that logs are appearing in Cisco eStreamer logs are in $SPLUNK_HOME/etc/apps/eStreamer/log. I have enabled verbose logging, but no logs are apearing in the Cisco eStreamer app, and when I do a search for index=estreamer it comes up empty. Additionally, when check the "client status" in the app, no results are returned.
I have manually checked the client_check.py, and the status comes back as event_sec=1414616228 status_id=1 status="eStreamer client is running."
Also important: We have a distributed environment. I have tried to install the app on a search head and a heavy forwarder with no luck. I can not find any documentation so I am wondering if I need to install the app on an indexer instead. Any feedback would be appreciated.
Thanks,
Casey
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I suspected, I needed to install the application on an indexer, in addition to the search head. Using $SPLUNK_HOME/etc/apps/eStreamer/bin/config_nogui.sh I was able to configure the app and then data began populating in the dashboard available on the search head.
The only issue with this configuration is that the estreamer index is not load balanced across our indexers (we have two). If I install the app on both indexers, this will result in duplicate events. If I figure out how to properly load balance I will let you know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not seeing any answers anywhere on where to install the esteamer_client in a distributed environment. Anyone have this answer yet on how to do this?
I would think if you installed it on ALL indexers they would all do the polling and have redundant data.
Is it confirmed that installing on a heavy forwarder (that doesn't index) will not work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you ever figure out the correct way to load balance?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
casey18cc - did you install the cert on the search head or the indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Verbose logging writes a log to $SPLUNK_HOME/etc/apps/eStreamer/bin/estreamer_debug.log to give you a better idea what is happening with the app. If you're seeing logs populate in the $SPLUNK_HOME/etc/apps/eStreamer/log/ then the eStreamer log collection is functioning as anticipated.
In a multi-node setup, you may need to install the app on multiple nodes. Unfortunately I don't have much experience with such a setup, but I imagine you would need to install on both a forwarder and search head. My inexperience with this setup is the real reason for no documentation on the subject.
− Colin
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
