Configure universal forwarder for use with Stream
Send data to _internal index
To send data from Splunk_TA_stream
to your _internal index
and to populate Splunk App for Stream dashboards, you must manually configure the universal forwarder, as follows:
1. Edit $SPLUNK_HOME/etc/system/local/outputs.conf
.
2. Add the following stanza:
[tcpout] forwardedindex.2.whitelist = (_audit|_introspection|_internal)
For more information, see "Configure forwarders with outputs.conf" in the Forwarding Data manual.
Manage Splunk_TA_stream stats data
Splunk_TA_stream
(Stream forwarder) sends operational statistics and log data to _internal
index. Splunk App for Stream uses this data to populate built-in dashboards, including the Stream Estimate dashboard.
There are three event types that Splunk_TA_stream
sends to _internal
index:
stream:stats
stream:log
streamfwd*
The streamfwd*
event type comes from the stream forwarder's local log file. The forwarder monitors that log file along with other files in the $SPLUNK_HOME/var/log/splunk/
directory. Though it is useful for troubleshooting locally, the data that streamfwd*
contains is the same as the data that stream:log
contains. Therefore, you can safely blacklist the streamfwd*
event type to avoid indexing duplicate data.
For more information, see "Whitelist- or blacklist-specific incoming data" in the Getting Data In manual.
Modify universal forwarder data limits
By default, the Splunk universal forwarder sends a maximum of 256 Kbps of data to your Splunk indexers. Depending on your streamfwd
process throughput and configuration, Splunk_TA_stream
might generate more data than this.
To modify or remove the default universal forwarder limit:
1. Edit $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/local/limits.conf
.
2. Modify the [thruput]
stanza. For example:
[thruput] maxKBps = 0
Install Splunk App for Stream | Configure Stream forwarder |
This documentation applies to the following versions of Splunk Stream™: 6.3.0, 6.3.1, 6.3.2, 6.4.0
Feedback submitted, thanks!