Integrate Splunk Stream with Splunk Enterprise Security
Enterprise Security integrates with Splunk Stream to capture and analyze network traffic data. Splunk Stream includes an app (splunk_app_stream) that you install on a search head and two forwarding options.
- Install the Splunk App for Stream on the Enterprise Security search head.
- For a Splunk Enterprise deployment, see Splunk Stream on-premise deployment architecture in the Splunk Stream Installation and Configuration Manual.
- For a Splunk Cloud Platform deployment, see Splunk Stream for Cloud deployment architecture in the Splunk Stream Installation and Configuration Manual.
- Activate the configuration template for Splunk Enterprise Security on the Splunk Stream forwarder that you use. You can use the Splunk Add-on for Stream (Splunk_TA_stream) or the independent Stream forwarder. See Use Stream configuration templates.
Use Stream in Enterprise Security
After setting up Splunk Stream, you can start a Stream capture job as a result of a correlation search. See Start a stream capture with Splunk Stream in Administer Splunk Enterprise Security. You can also start a stream capture job from a notable event on the Incident Review dashboard. See Start a Stream capture in Use Splunk Enterprise Security.
You can view and analyze Stream data events captured in Splunk Enterprise Security on the Protocol Intelligence dashboards. See Protocol Intelligence dashboards in 'Use Splunk Enterprise Security.
Deploy add-ons included with Splunk Enterprise Security
Configure and deploy indexes
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.2.0, 5.2.1, 5.2.2, 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2