Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Install Splunk App for Stream

The Splunk App for Stream installation package installs the following items:

  • Splunk Stream Add-on (Splunk_TA_stream): Splunk_TA_stream captures network event data, and sends that data to Splunk Enterprise. Splunk_TA_stream contains the streamfwd binary (also called Stream Forwarder), which performs network data capture and provides a new "Wire Data" data input type for Splunk Enterprise.
  • Splunk App for Stream (splunk_app_stream): splunk_app_stream provides configuration management and monitoring of the Stream Forwarder.

Splunk_TA_stream and splunk_app_stream are installed in $SPLUNK_HOME/etc/apps. The streamfwd binary is installed in $SPLUNK_HOME/etc/apps/Splunk_TA_stream/<machine_type>/bin.

The installer also places a copy of Splunk_TA_stream into $SPLUNK_HOME/etc/apps/deployment-apps. You can then use the Splunk deployment server to push Splunk_TA_stream from the deployment-apps directory to other Splunk components across a distributed deployment. See "Deployment server and forwarder management".

For more information on Splunk App for Stream components, see Splunk App for Stream Deployment Architecture.

Install Splunk App for Stream

You can download the Splunk App for Stream installation package from Splunk Apps. After you download the installation package, you can install the Splunk App for Stream using Splunk Web.

Important: If you are upgrading from an earlier version of Splunk App for Stream, see Upgrade from an earlier version, prior to installation.

Step 1: Download the installation package

Important: Please download the Splunk App for Stream directly from apps.splunk.com. There is Known Issue with the "Find More Apps" browser in the Splunk Enterprise UI that causes it to corrupt the download package.

1. Go to http://apps.splunk.com/app/1809/.

2. Click Download.

The splunk_app_stream tar.gz installer file downloads to your local host.

Step 2: Install using Splunk Web

1. Log into Splunk Web.

2. In the top left menu, click Manage Apps.

3. Click Install app from file.

4. Upload the splunk_app_stream tar.gz installer file.

5. Click Restart at the prompt. Splunk Enterprise restarts.

This process installs:

  • splunk_app_stream in your $SPLUNK_HOME/etc/apps directory.
  • Splunk_TA_stream in your $SPLUNK_HOME/etc/apps directory. This sets up a new Wire Data data input, which is disabled by default.
  • Splunk_TA_stream in your $SPLUNK_HOME/etc/deployment-apps directory. This is a copy of the Stream Add-on pre-configured and enabled for deployment to other Splunk servers, including Universal Forwarders.

Step 3: Ensure Proper Permissions

Important: splunkd (Indexer or Forwarder) must be running with root/Administrator privileges for streamfwd to run in promiscuous mode and sniff packets from the network interface. If you would prefer splunkd not run as root, you can use the setuid.sh script to give just streamfwd root privileges:

cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
sudo ./setuid.sh

Step 4: Enable Wire Data data input

1. Go to Settings > Data Inputs.

2. Click on Wire Data.

3. Locate the "streamfwd" data input in the list, and click Enable.

The Wire Data (Stream Forwarder) data input is now enabled and begins to send event data to Splunk.

Note: If you do not see the Wire Data modular input on the Data Inputs page, clear your browser cache and log back into Splunk. If this does not work, please see this troubleshooting article.

Step 5: Verify data input

1. Open the Splunk Search and Reporting app.

2. In the Search window, enter source=stream*.

You should now see captured network event data in the events window.

Note: The syntax of source and sourcetype changes in version 6.1. To verify data input in versions 6.02 and earlier, enter source=stream.

Upgrade from an earlier version

You can upgrade from an earlier version of Splunk App for Stream using Splunk Web.

1. Log into Splunk Web.

2. In the top left menu, click Manage Apps.

3. Click Install app from file.

4. Click Choose file and browse to the latest version of the splunk_app_stream tar.gz installer file.

5.. Select the Upgrade app checkbox. This overwrites the current version of the app.

6. Click Upload.

7. Click Restart at the prompt. Splunk Enterprise restarts.

This process upgrades:

  • splunk_app_stream in your $SPLUNK_HOME/etc/apps directory.
  • Splunk_TA_stream in your $SPLUNK_HOME/etc/apps directory.
  • Splunk_TA_stream in your $SPLUNK_HOME/etc/deployment-apps directory

Note: This process does not upgrade Splunk_TA_stream unless the installer package includes a new version of the TA. Otherwise, the installer upgrades splunk_app_stream only.

Upgrade Splunk_TA_stream

To upgrade Splunk_TA_stream to the latest version:

1. Make a backup of the Splunk_TA_stream directory:

mv $ SPLUNK_HOME/etc/apps/Splunk_TA_stream Splunk_TA_stream.bak

2. Copy the Splunk_TA_stream directory from the new splunk_app_stream tarball:

cp -r $TARBALL_DIR/install/Splunk_TA_stream $SPLUNK_HOME/etc/apps/

3. Copy over the old local configuration directory:

cp –r Splunk_TA_stream.bak/local $SPLUNK_HOME/etc/apps/Splunk_TA_stream/

4. Remove temp directory:

rm –rf Splunk_TA_stream.bak

5. Restart Splunk.

cd $SPLUNK_HOME/bin
./splunk restart
Last modified on 13 March, 2015
What network data protocols can Splunk App for Stream capture?   Configure Stream Forwarder

This documentation applies to the following versions of Splunk Stream: 6.0, 6.0.1, 6.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters