Install Splunk App for Stream
This topic shows you how to install and upgrade Splunk App for Stream in both single instance and distributed Splunk Enterprise environments. For an overview of these deployment environments, see Deployment architectures in this manual.
Splunk App for Stream components
The Splunk App for Stream install package includes the following components:
- splunk_app_stream: Provides configuration management for the
streamfwd
binary. It also provides stream forwarder management tools, filters for fine-tuning data capture, pre-defined streams, and dashboards for analysis of Stream metrics and network events. - Splunk_TA_stream: Provides data ingestion and forwarding capabilities for Splunk App for Stream.
Splunk_TA_stream
includes the Stream Forwarder (streamfwd
) binary.streamfwd
is the core component ofSplunk_TA_stream
and provides passive capture of network data. - Independent Stream Forwarder: The Splunk App for Stream installation package includes an independent stream forwarder install package (
splunkstreamfwd.tgz
) that is not deployed withsplunk_app_stream
andSplunk_TA_stream
. Splunk App for Stream generates acurl
command that lets you install the independent Stream Forwarder on any compatible Linux machine.
Install Splunk App for Stream on a single instance
You can install Splunk App for Stream on a single Splunk Enterprise instance. In a single-instance deployment, a single Splunk Enterprise instance serves as both search head and indexer.
- Go to http://splunkbase.com/app/1809/.
- Click Download. The
splunk_app_for_stream_651.tgz
installation package downloads to your local host. - Log into Splunk Web.
- Click Manage Apps > Install app from file.
- Upload the
splunk_app_for_stream_651.tgz
installer file. - Restart Splunk Enterprise (if prompted).
- This installs
splunk_app_stream
andsplunk_TA_stream
in$SPLUNK_HOME/etc/apps
on the single instance.
- This installs
Install Splunk App for Stream in a distributed environment
You can install Splunk App for Stream in any distributed Splunk Enterprise environment. For information on Splunk App for Stream distributed deployment architectures, see Distributed deployment in this manual. Splunk App for Stream version 6.5.0 and later support search head clusters.
Install Splunk App for Stream on search heads and indexers
- Go to http://splunkbase.com/app/1809/.
- Click Download. The
splunk_app_for_stream_651.tgz
installation package downloads to your local host. - Log into Splunk Web.
- Click Manage Apps > Install app from file.
- Upload the
splunk_app_for_stream_651.tgz
installer file. - Restart Splunk Enterprise (if prompted).
- Repeat steps 3-6 on both search heads and indexers.
- This installs
splunk_app_stream
andSplunk_TA_stream
in$SPLUNK_HOME/etc/apps
on both search heads and indexers.
- This installs
Enable SSL certificate validation
You can enable certificate validation for SSL connections to Splunk_TA_stream
to verify the identity of splunk_app_stream
servers. To enable certificate validation, set the appropriate parameters in inputs.conf
:
- Edit
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/inputs.conf
. - Set the following parameters:
sslVerifyServerCert = true * Enables server (splunk_app_stream) certificate validation on client (streamfwd) side. rootCA = <path> * Points to the file name of the root CA certificate file. If the "sslVerifyServerCert" parameter is set to true, "rootCA" must show the full path to the root CA certificate file. If this parameter is left empty or points to a non-existent file, certificate validation does not occur. sslCommonNameToCheck = <commonName> * Allows for overriding common name value to compare against the certificate CN. If this parameter is left blank, the fully qualified host name of the splunk_app_stream server is verified against the CN in the server certificate. For the certificate CN, the following Common Name formats are supported: *.app.splunk.com OR streamapp.app.splunk.com.
Note: If certificate validation is enabled, and validation fails either because the certificate is not valid OR because the common names do not match, streamfwd
will not connect to the splunk_app_stream
server.
Configure deployment server to distribute Splunk_TA_stream to universal forwarders
The Splunk App for Stream install package places a copy of Splunk_TA_stream
in the $SPLUNK_HOME/etc/deployment-apps
directory. This is a pre-configured copy of Splunk_TA_stream
that you can deploy to universal forwarders using the deployment server.
For instructions on how to setup the deployment server to distribute Splunk_TA_stream
to universal forwarders, see Plan a deployment in Updating Splunk Enterprise Instances.
Configure indexer receiving port
- On indexers, go to Settings > Forwarding and Receiving.
- Click Configure Receiving.
- Click New. Enter the receiving port number. For example,
port 9997
. - Click Save.
Ensure Splunk_TA_stream privileges
splunkd
must be running with root/Administrator privileges for Splunk_TA_stream
(streamfwd
) to capture packets on the network interface. This applies to both single-instance and distributed deployments.
On *nix, if you prefer that splunkd
not run as root, you can use the set_permissions.sh
script to set the required OS-level privileges to streamfwd
only:
cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream/ sudo ./set_permissions.sh
On Windows, you must be running as Administrator, or install WinPcap separately. See Windows installation considerations on this page.
Manually install Splunk_TA_stream on remote universal forwarders
If you want to collect network data from one or more remote servers, and you are not using the deployment server, you can manually install Splunk_TA_stream
on universal forwarders on each server, as follows:
- Install Splunk App for Stream as described in Install Splunk App for Stream in a distributed environment on this page.
This installssplunk_app_stream
andSplunk_TA_stream
in$SPLUNK_HOME/etc/apps
. This also installs a version ofSplunk_TA_stream
in$SPLUNK_HOME/etc/deployment-apps
. - Copy
Splunk_TA_stream
from$SPLUNK_HOME/etc/deployment-apps
into$SPLUNK_HOME/etc/apps
on each universal forwarder. - Verify
Splunk_TA_stream
configuration on each universal forwarder as follows:- Verify that
Splunk_TA_stream/local/inputs.conf
specifies the correct location ofsplunk_app_stream
. For example:[streamfwd://streamfwd] splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/ stream_forwarder_id = disabled = 0
- Verify that
Splunk_TA_stream/local/streamfwd.conf
is configured to collect data from the appropriate network interface.
For more information, see Configure Stream forwarder in this manual.
- Verify that
Install Independent Stream Forwarder
Splunk App for Stream supports Independent Stream Forwarder (streamfwd
) installation on compatible Linux machines. For instructions, see Install Independent Stream Forwarder in this manual.
Upgrade to Splunk App for Stream 6.5.1
You can upgrade to Splunk App for Stream 6.5.1 using Splunk Web.
- Log into Splunk Web.
- In the top left menu, click Manage Apps.
- Click Install app from file.
- Click Choose file and browse to the latest version of the
splunk_app_stream tar.gz
installer file. - Select the Upgrade app checkbox. This overwrites the current version of the app.
- Click Upload.
- Restart Splunk Enterprise (if prompted). This upgrades the following directories:
splunk_app_stream
in$SPLUNK_HOME/etc/apps
.Splunk_TA_stream
in$SPLUNK_HOME/etc/apps
.Splunk_TA_stream
in$SPLUNK_HOME/etc/deployment-apps
.
Note: This process does not upgrade Splunk_TA_stream
unless the installer package includes a new version of the TA. Otherwise, the installer upgrades splunk_app_stream
only.
Manually upgrade Splunk_TA_stream
When you upgrade Splunk App for Stream, Splunk_TA_stream
is automatically upgraded on the server on which Splunk App for Stream is installed. However, Splunk_TA_stream
is not automatically upgraded on universal forwarders. If your Stream deployment includes additional universal forwarders and you are not using the deployment server, you must manually upgrade Splunk_TA_stream
on each universal forwarder (or use another mechanism to install the TA, such as Puppet or Chef).
To manually upgrade Splunk_TA_stream
to the latest version:
- Make a backup of the
Splunk_TA_stream
directory:mv $SPLUNK_HOME/etc/apps/Splunk_TA_stream Splunk_TA_stream.bak
- Copy the
Splunk_TA_stream
directory from the newsplunk_app_stream
tarball:cp -r $TARBALL_DIR/install/Splunk_TA_stream $SPLUNK_HOME/etc/apps/
- Copy over the old local configuration directory:
cp –r Splunk_TA_stream.bak/local $SPLUNK_HOME/etc/apps/Splunk_TA_stream/
- Remove temp directory:
rm –rf Splunk_TA_stream.bak
- Restart Splunk.
cd $SPLUNK_HOME/bin ./splunk restart
Windows installation considerations
Caution: Splunk App for Stream uses the WinPcap driver to capture packets on Windows systems. Due to a flaw in the WinPcap security model, installing Stream on Windows allows all local users to use WinPcap for packet sniffing. For more information, see https://wiki.wireshark.org/CaptureSetup/CapturePrivileges.
On Windows systems, Splunk App for Stream supports the Admin role only.
Protocols that map to Splunk CIM | Deploy Independent Stream Forwarder |
This documentation applies to the following versions of Splunk Stream™: 6.5.1
Feedback submitted, thanks!