Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Install Splunk App for Stream

The Splunk App for Stream installation package installs the following items:

  • Splunk Stream Add-on (Splunk_TA_stream): Splunk_TA_stream contains the streamfwd binary, which performs network data event capture and provides a new "Wire Data" data input type for Splunk Enterprise.
  • Splunk App for Stream (splunk_app_stream): splunk_app_stream provides configuration management and monitoring of the streamfwd binary.

Splunk_TA_stream and splunk_app_stream are installed in $SPLUNK_HOME/etc/apps. The streamfwd binary is located in $SPLUNK_HOME/etc/apps/Splunk_TA_stream/<machine_type>/bin.

The installer also places a copy of Splunk_TA_stream into $SPLUNK_HOME/etc/apps/deployment-apps. You can use the Splunk deployment server to distribute Splunk_TA_stream from the deployment-apps directory to any new forwarders that you add to your deployment. See "Deployment server and forwarder management".

For more information on Splunk App for Stream components, see Splunk App for Stream Deployment Architecture.

Install Splunk App for Stream

Download the Splunk App for Stream installation package from Splunk Apps. You can then install the app using Splunk Web.

Note: If you are upgrading from an earlier version of Splunk App for Stream, see Upgrade from an earlier version, prior to installation.

Step 1: Download the installation package

1. Go to http://apps.splunk.com/app/1809/.

2. Click Download.

The splunk_app_stream tar.gz installer file downloads to your local host.

Step 2: Install using Splunk Web

1. Log into Splunk Web.

2. In the top left menu, click Manage Apps.

3. Click Install app from file.

4. Upload the splunk_app_stream tar.gz installer file.

5. Click Restart at the prompt. Splunk Enterprise restarts.

This process installs:

  • splunk_app_stream in your $SPLUNK_HOME/etc/apps directory.
  • Splunk_TA_stream in your $SPLUNK_HOME/etc/apps directory. This sets up a new Wire Data data input, which is disabled by default.
  • Splunk_TA_stream in your $SPLUNK_HOME/etc/deployment-apps directory. This is a copy of the Stream Add-on pre-configured and enabled for deployment to other Splunk servers, including Universal Forwarders.

Step 3: Ensure Proper Permissions

splunkd (Indexer or Forwarder) must be running with root/Administrator privileges for streamfwd to run in promiscuous mode and sniff packets from the network interface. If you would prefer splunkd not run as root, you can use the setuid.sh script to give just streamfwd root privileges: 

cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
sudo ./setuid.sh

Step 4: Enable Wire Data data input

1. Go to Settings > Data Inputs.

2. Click on Wire Data.

3. Locate the "streamfwd" data input in the list, and click Enable.

The Wire Data (Stream Forwarder) data input is now enabled and begins to send event data to Splunk.

Note: If you do not see the Wire Data modular input on the Data Inputs page, clear your browser cache and log back into Splunk. If this does not work, please see this troubleshooting article.

Step 5: Verify data input

1. Open the Splunk Search and Reporting app.

2. In the Search window, enter source=stream*.

You should now see captured network event data in the events window.

Note: The syntax of source and sourcetype changes in version 6.1. To verify data input in versions 6.02 and earlier, enter source=stream.

About source and sourcetype syntax changes in version 6.1

To make the sourcetype syntax consistent with the non-variable sourcetype syntax used in props.conf, Splunk App for Stream 6.1 updates the syntax of both source and sourcetype.

Note: This syntax change is in line with other Splunk apps and is not unique to Splunk App for Stream.

In version 6.0.2 and earlier, the syntax was: 

source=stream
sourcetype=stream:<stream-id>

In version 6.1 the syntax is: 

source=stream:<stream-id>
sourcetype=stream:<protocol>

If you used source=stream for a search in 6.02 and earlier, in 6.1 use:

source=stream*

If you used sourcetype=stream:<stream-id> for a search of a custom (cloned) stream in 6.02 and earlier, in 6.1 use:

source=stream:<stream-id>

Note: If you used sourcetype=stream:<stream-id> to search a default stream, in 6.1 no change is necessary because the default <stream-id> is the same as <protocol>.

How to upgrade from an earlier version

You can upgrade from an earlier version of Splunk App for Stream using Splunk Web.

1. Log into Splunk Web.

2. In the top left menu, click Manage Apps.

3. Click Install app from file.

4. Click Choose file and browse to the latest version of the splunk_app_stream tar.gz installer file.

5.. Select the Upgrade app checkbox. This overwrites the current version of the app.

6. Click Upload. 

7. Click Restart at the prompt. Splunk Enterprise restarts.

This process upgrades:

  • splunk_app_stream in your $SPLUNK_HOME/etc/apps directory.
  • Splunk_TA_stream in your $SPLUNK_HOME/etc/apps directory.
  • Splunk_TA_stream in your $SPLUNK_HOME/etc/deployment-apps directory

Note: This process does not upgrade Splunk_TA_stream unless the installer package includes a new version of the TA. Otherwise, the installer upgrades splunk_app_stream only.

How to manually upgrade Splunk_TA_stream

When you upgrade Splunk App for Stream, Splunk_TA_stream is automatically upgraded on the server on which Splunk App for Stream is installed. The TA is not automatically upgraded on forwarders. If your Stream deployment includes additional forwarders, you must upgrade Splunk_TA_stream on each forwarder manually, or use another mechanism to install the TA, such as Puppet, Chef, or the Splunk deployment server.

To manually upgrade Splunk_TA_stream to the latest version:

1. Make a backup of the Splunk_TA_stream directory: 

mv $SPLUNK_HOME/etc/apps/Splunk_TA_stream Splunk_TA_stream.bak

2. Copy the Splunk_TA_stream directory from the new splunk_app_stream tarball: 

cp -r $TARBALL_DIR/install/Splunk_TA_stream $SPLUNK_HOME/etc/apps/

3. Copy over the old local configuration directory: 

cp –r Splunk_TA_stream.bak/local $SPLUNK_HOME/etc/apps/Splunk_TA_stream/

4. Remove temp directory: 

rm –rf Splunk_TA_stream.bak

5. Restart Splunk. 

cd $SPLUNK_HOME/bin
./splunk restart
Last modified on 07 February, 2015
Stream protocols that map to the Splunk CIM   Configure Stream forwarder

This documentation applies to the following versions of Splunk Stream: 6.1.0, 6.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters