Splunk® Data Stream Processor

Install and administer the Data Stream Processor

On April 3, 2023, Splunk Data Stream Processor reached its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.

All DSP releases prior to DSP 1.4.0 use Gravity, a Kubernetes orchestrator, which has been announced end-of-life. We have replaced Gravity with an alternative component in DSP 1.4.0. Therefore, we will no longer provide support for versions of DSP prior to DSP 1.4.0 after July 1, 2023. We advise all of our customers to upgrade to DSP 1.4.0 in order to continue to receive full product support from Splunk.

Additional installation considerations

You may have to perform additional prerequisites in order to successfully install DSP in your system. These prerequisites vary depending on your own system configuration.

Load network bridge drivers

Depending on your operating system, you may need to load network bridge drivers.

  1. Check to see if network bridge drivers have been loaded on your operating system. If enabled, the output number should be 1.
    sysctl net.bridge.bridge-nf-call-iptables
    
    net.bridge.bridge-nf-call-iptables = 1
  2. If you receive an error message sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory you must add br_netfilter kernel module to the k8s.conf file and load the module into the kernel before you can load the network bridge drivers.
    1. Add the br_netfilter kernel module to the configuration file.
      cat <<EOF > /etc/modules-load.d/k8s.conf
      br_netfilter
      EOF
    2. Load the br_netfilter kernel module.
      modprobe br_netfilter
  3. If the network bridge driver has not been loaded, run the following commands.
    1. Load network bridge drivers.
      sysctl -w net.bridge.bridge-nf-call-iptables=1
    2. Persist this setting.
      echo net.bridge.bridge-nf-call-iptables=1 >> /etc/sysctl.d/10-bridge-nf-call-iptables.conf

Increase inotify watches

When installing DSP on Centos or RedHat, you should increase inotify watches to 1048576.

  1. On each node, edit the /etc/sysctl.d/99-sysctl.conf file.
  2. Add the following line:
    fs.inotify.max_user_watches=1048576
  3. Save your changes.
  4. From the command-line of the controller node, type the following command:
    sysctl -p /etc/sysctl.d/99-sysctl.conf

Enable IPv4 Forwarding

Depending on your operating system, you may need to enable IPv4 Forwarding.

  1. (Optional) Check to see if IPv4 forwarding is enabled on your operating system by running the following command. If enabled, the output number should be 1.
    sysctl net.ipv4.ip_forward
    
    net.ipv4.ip_forward = 1
  2. Enable IPv4 forwarding.
    sysctl -w net.ipv4.ip_forward=1
  3. Save the IPv4 settings.
    1. (Optional) If you are using Ubuntu and you already have a sysctl.conf file, you can update the existing net.ipv4.ip_forward setting by opening the /etc/sysctl.conf file, and uncommenting the line that has the IPv4 setting. After you've enabled IPv4 forwarding, skip to step 4.
    2. Otherwise, run the following command:
      echo net.ipv4.ip_forward=1 >> /etc/sysctl.d/10-ipv4-forwarding-on.conf
  4. Load the sysctl settings:
    sysctl -p

Firewalld

If firewalld is enabled in the Operating System, Kubernetes services may not be able to communicate under default configuration. Run the following commands on each node in your cluster.

firewall-cmd --zone=trusted --add-source=10.244.0.0/16 --permanent # pod subnet
firewall-cmd --zone=trusted --add-source=10.100.0.0/16 --permanent # service subnet
firewall-cmd --zone=trusted --add-interface=eth0 --permanent   # enable eth0 in trusted zone so nodes can communicate
firewall-cmd --zone=trusted --add-masquerade --permanent       # masquerading so packets can be routed back
firewall-cmd --reload
systemctl restart firewalld

Install and set up bash-completion

Kubectl provides autocompletion support for bash. Depending on your Linux install configuration, you may need to install bash-completion. You can check if you have bash-completion already installed by running type _init_completion.

  1. Use your Linux distribution package manager to install bash-completion:
    • For RedHat, CentoOS, and Amazon Linux, type: yum install bash-completion.
    • For Ubuntu, type: apt-get install bash-completion.
  2. Verify that bash-completion is installed and configured: type _init_completion. If the command fails, edit your ~/.bashrc file and add: source /usr/share/bash-completion/bash_completion.
  3. Enable bash-completion in kubectl. There are two ways that this can be done:
    1. Source the kubectl bash-completion in your ~/.bashrc file: echo 'source <(kubectl completion bash)' >>~/.bashrc.
    2. Add bash-complete to the /etc/bash_completion.d directory: kubectl completion bash >/etc/bash_completion.d/kubectl.
  4. Restart your bash session.

For more information see Enabling shell autocompletion in the Kubernetes Install and Set Up kubectl manual.

Last modified on 13 January, 2023
Network Encryption Policy   Preparing Google Cloud Platform to install the Splunk Data Stream Processor

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters