Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Install Splunk App for Stream

This topic provides basic installation instructions for Splunk App for Stream. For information on where to install Splunk App for Stream components in a distributed Splunk Enterprise environment, see Deployment architectures in this manual.

Splunk App for Stream components

The Splunk App for Stream installation package installs the following components:

  • Splunk App for Stream (splunk_app_stream): splunk_app_stream provides configuration management and monitoring of network event capture for the streamfwd binary.
  • Splunk Stream Add-on (Splunk_TA_stream): Splunk_TA_stream contains the streamfwd binary, which performs passive capture of network event data, and sends that data to indexers using the "Wire Data" modular input.

Install Splunk App for Stream

Step 1: Download the installation package

1. Go to http://splunkbase.com/app/1809/.

2. Click Download.

The splunk_app_for_stream_642.tgz installation package downloads to your local host.

Step 2: Install using Splunk Web

1. Log into Splunk Web.

2. In the top left menu, click Manage Apps.

3. Click Install app from file.

4. Upload the splunk_app_for_stream_642.tgz installer file.

5. Restart Splunk Enterprise (if required).

This process installs Splunk App for Stream components in the following locations:

  • splunk_app_stream in $SPLUNK_HOME/etc/apps.
  • Splunk_TA_stream in $SPLUNK_HOME/etc/apps.
  • Splunk_TA_stream in your $SPLUNK_HOME/etc/deployment-apps directory. This is a pre-configured copy of Splunk_TA_stream that you can deploy to new universal forwarders using the deployment server. For more information, see Deployment server and forwarder management in the Updating Splunk Enterprise Instances manual.
Note: The streamfwd binary is located in $SPLUNK_HOME/etc/apps/Splunk_TA_stream/<machine_type>/bin.

Step 3: Ensure Proper Permissions

splunkd must be running with root/Administrator privileges for the streamfwd binary to capture packets from the network interface.

On *nix, if you prefer that splunkd not run as root, you can use the setuid.sh script to give root privileges to streamfwd only: 

cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
sudo ./setuid.sh

On Windows, you must be running as Administrator, or install WinPcap separately. See Windows installation considerations on this page.

Step 4: Verify data input

1. In Splunk Web, click Apps > Search and Reporting.

2. In the Search window, enter source=stream*.

Network event data appears in the events window.

Note: The syntax of source and sourcetype changes in version 6.1. To verify data input in versions 6.02 and earlier, enter source=stream.

Next Steps

After you install Splunk App for Stream, you must configure the Stream Forwarder to listen on your specific interface. For detailed configuration instructions, see Configure Stream Forwarder in this manual.

Upgrade from an earlier version

You can upgrade from an earlier version of Splunk App for Stream using Splunk Web.

1. Log into Splunk Web.

2. In the top left menu, click Manage Apps.

3. Click Install app from file.

4. Click Choose file and browse to the latest version of the splunk_app_stream tar.gz installer file.

5.. Select the Upgrade app checkbox. This overwrites the current version of the app.

6. Click Upload.

7. Restart Splunk Enterprise (if required).

This process upgrades:

  • splunk_app_stream in your $SPLUNK_HOME/etc/apps directory.
  • Splunk_TA_stream in your $SPLUNK_HOME/etc/apps directory.
  • Splunk_TA_stream in your $SPLUNK_HOME/etc/deployment-apps directory

Note: This process does not upgrade Splunk_TA_stream unless the installer package includes a new version of the TA. Otherwise, the installer upgrades splunk_app_stream only.

How to manually upgrade Splunk_TA_stream

When you upgrade Splunk App for Stream, Splunk_TA_stream is automatically upgraded on the server on which Splunk App for Stream is installed. The TA is not automatically upgraded on forwarders. If your Stream deployment includes additional forwarders, you must upgrade Splunk_TA_stream on each forwarder manually, or use another mechanism to install the TA, such as Puppet, Chef, or the Splunk deployment server.

To manually upgrade Splunk_TA_stream to the latest version:

1. Make a backup of the Splunk_TA_stream directory: 

mv $SPLUNK_HOME/etc/apps/Splunk_TA_stream Splunk_TA_stream.bak

2. Copy the Splunk_TA_stream directory from the new splunk_app_stream tarball: 

cp -r $TARBALL_DIR/install/Splunk_TA_stream $SPLUNK_HOME/etc/apps/

3. Copy over the old local configuration directory: 

cp –r Splunk_TA_stream.bak/local $SPLUNK_HOME/etc/apps/Splunk_TA_stream/

4. Remove temp directory: 

rm –rf Splunk_TA_stream.bak

5. Restart Splunk. 

cd $SPLUNK_HOME/bin
./splunk restart

Windows installation considerations

Caution: Splunk App for Stream uses the WinPcap driver to capture packets on Windows systems. Due to a flaw in the WinPcap security model, installing Stream on Windows allows all local users to use WinPcap for packet sniffing. For more information, see https://wiki.wireshark.org/CaptureSetup/CapturePrivileges.

On Windows systems, Splunk App for Stream supports the Admin role only.

Last modified on 06 April, 2016
Source and sourcetype syntax   Configure universal forwarder for use with Stream

This documentation applies to the following versions of Splunk Stream: 6.4.0, 6.4.1, 6.4.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters