Configure universal forwarder for use with Stream
Send data to _internal index
To send data from
Splunk_TA_stream to your
_internal index and to populate Splunk App for Stream dashboards, you must manually configure the universal forwarder, as follows:
2. Add the following stanza:
[tcpout] forwardedindex.2.whitelist = (_audit|_introspection|_internal)
For more information, see "Configure forwarders with outputs.conf" in the Forwarding Data manual.
Manage Splunk_TA_stream stats data
Splunk_TA_stream (Stream forwarder) sends operational statistics and log data to
_internal index. Splunk App for Stream uses this data to populate built-in dashboards, including the Stream Estimate dashboard.
There are three event types that
Splunk_TA_stream sends to
streamfwd* event type comes from the stream forwarder's local log file. The forwarder monitors that log file along with other files in the
$SPLUNK_HOME/var/log/splunk/ directory. Though it is useful for troubleshooting locally, the data that
streamfwd* contains is the same as the data that
stream:log contains. Therefore, you can safely blacklist the
streamfwd* event type to avoid indexing duplicate data.
For more information, see "Whitelist- or blacklist-specific incoming data" in the Getting Data In manual.
Modify universal forwarder data limits
By default, the Splunk universal forwarder sends a maximum of 256 Kbps of data to your Splunk indexers. Depending on your
streamfwd process throughput and configuration,
Splunk_TA_stream might generate more data than this.
To modify or remove the default universal forwarder limit:
2. Modify the
[thruput] stanza. For example:
[thruput] maxKBps = 0
Install Splunk App for Stream
Configure Stream forwarder
This documentation applies to the following versions of Splunk Stream™: 6.3.0, 6.3.1, 6.3.2, 6.4.0