Install Splunk App for Stream
This topic provides basic installation instructions for Splunk App for Stream. For information on where to install Splunk App for Stream components in a distributed Splunk Enterprise environment, see Deployment architectures in this manual.
Splunk App for Stream components
The Splunk App for Stream installation package installs the following components:
- Splunk App for Stream (
splunk_app_stream
):splunk_app_stream
provides configuration management and monitoring of network event capture for thestreamfwd
binary.
- Splunk Stream Add-on (
Splunk_TA_stream
):Splunk_TA_stream
contains thestreamfwd
binary, which performs passive capture of network event data, and sends that data to indexers using the "Wire Data" modular input.
Install Splunk App for Stream
Step 1: Download the installation package
1. Go to http://splunkbase.com/app/1809/.
2. Click Download.
The splunk_app_for_stream_642.tgz
installation package downloads to your local host.
Step 2: Install using Splunk Web
1. Log into Splunk Web.
2. In the top left menu, click Manage Apps.
3. Click Install app from file.
4. Upload the splunk_app_for_stream_642.tgz
installer file.
5. Restart Splunk Enterprise (if required).
This process installs Splunk App for Stream components in the following locations:
splunk_app_stream
in$SPLUNK_HOME/etc/apps
.Splunk_TA_stream
in$SPLUNK_HOME/etc/apps
.Splunk_TA_stream
in your$SPLUNK_HOME/etc/deployment-apps
directory. This is a pre-configured copy ofSplunk_TA_stream
that you can deploy to new universal forwarders using the deployment server. For more information, see Deployment server and forwarder management in the Updating Splunk Enterprise Instances manual.
- Note: The
streamfwd
binary is located in$SPLUNK_HOME/etc/apps/Splunk_TA_stream/<machine_type>/bin
.
- Note: The
Step 3: Ensure Proper Permissions
splunkd
must be running with root/Administrator privileges for the streamfwd
binary to capture packets from the network interface.
On *nix, if you prefer that splunkd
not run as root, you can use the setuid.sh
script to give root privileges to streamfwd
only:
cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream sudo ./setuid.sh
On Windows, you must be running as Administrator, or install WinPcap separately. See Windows installation considerations on this page.
Step 4: Verify data input
1. In Splunk Web, click Apps > Search and Reporting.
2. In the Search window, enter source=stream*.
Network event data appears in the events window.
Note: The syntax of source
and sourcetype
changes in version 6.1. To verify data input in versions 6.02 and earlier, enter source=stream
.
Next Steps
After you install Splunk App for Stream, you must configure the Stream Forwarder to listen on your specific interface. For detailed configuration instructions, see Configure Stream Forwarder in this manual.
Upgrade from an earlier version
You can upgrade from an earlier version of Splunk App for Stream using Splunk Web.
1. Log into Splunk Web.
2. In the top left menu, click Manage Apps.
3. Click Install app from file.
4. Click Choose file and browse to the latest version of the splunk_app_stream tar.gz
installer file.
5.. Select the Upgrade app checkbox. This overwrites the current version of the app.
6. Click Upload.
7. Restart Splunk Enterprise (if required).
This process upgrades:
splunk_app_stream
in your$SPLUNK_HOME/etc/apps
directory.Splunk_TA_stream
in your$SPLUNK_HOME/etc/apps
directory.Splunk_TA_stream
in your$SPLUNK_HOME/etc/deployment-apps
directory
Note: This process does not upgrade Splunk_TA_stream
unless the installer package includes a new version of the TA. Otherwise, the installer upgrades splunk_app_stream
only.
How to manually upgrade Splunk_TA_stream
When you upgrade Splunk App for Stream, Splunk_TA_stream
is automatically upgraded on the server on which Splunk App for Stream is installed. The TA is not automatically upgraded on forwarders. If your Stream deployment includes additional forwarders, you must upgrade Splunk_TA_stream
on each forwarder manually, or use another mechanism to install the TA, such as Puppet, Chef, or the Splunk deployment server.
To manually upgrade Splunk_TA_stream
to the latest version:
1. Make a backup of the Splunk_TA_stream
directory:
mv $SPLUNK_HOME/etc/apps/Splunk_TA_stream Splunk_TA_stream.bak
2. Copy the Splunk_TA_stream
directory from the new splunk_app_stream
tarball:
cp -r $TARBALL_DIR/install/Splunk_TA_stream $SPLUNK_HOME/etc/apps/
3. Copy over the old local configuration directory:
cp –r Splunk_TA_stream.bak/local $SPLUNK_HOME/etc/apps/Splunk_TA_stream/
4. Remove temp directory:
rm –rf Splunk_TA_stream.bak
5. Restart Splunk.
cd $SPLUNK_HOME/bin ./splunk restart
Windows installation considerations
Caution: Splunk App for Stream uses the WinPcap driver to capture packets on Windows systems. Due to a flaw in the WinPcap security model, installing Stream on Windows allows all local users to use WinPcap for packet sniffing. For more information, see https://wiki.wireshark.org/CaptureSetup/CapturePrivileges.
On Windows systems, Splunk App for Stream supports the Admin role only.
Source and sourcetype syntax | Configure universal forwarder for use with Stream |
This documentation applies to the following versions of Splunk Stream™: 6.4.0, 6.4.1, 6.4.2
Feedback submitted, thanks!