Deploy Splunk App for Stream on a search head cluster
This topic shows you how to deploy Splunk App for Stream on a search head cluster.
Prerequisites
- Splunk app for Stream 6.5.0 or later
- Splunk Enterprise 6.3.1 or later
- Existing search head cluster with deployer (outside of the cluster) and a minimum of three search head cluster members.
- KV Store must be enabled on all cluster members. (KV Store is enabled by default on Splunk Enterprise version 6.3.1 and later.)
For more information, see Search head cluster requirements in the Distributed Search manual.
Install Splunk App for Stream on the deployer
- Use Splunk Web to Install
splunk_app_stream-6.5.x.tgz
onto the deployer in$SPLUNK_HOME/etc/apps
. - Move
splunk_app_stream
andSplunk_TA_stream
toshcluster/apps
.
Note: Splunk_TA_stream
is required on search heads, indexers, and forwarders so that props and transforms stanzas can be applied. To stop data capture on a search head, disable the streamfwd
"Wire Data" modular input.
Deploy the configuration bundle to the cluster
Run the splunk apply shcluster-bundle
command on the deployer.
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
The -target
parameter (required) specifies the URI and management port for any member of the cluster. For example: https://10.0.1.14:8089. Though you specify a single cluster member only, the deployer pushes the URI and management port to all members.
The -auth
parameter specifies credentials for the deployer instance. This pushes everything contained in the shcluster/
directory (including splunk_app_stream
and Splunk_TA_stream
) from the deployer to each search head cluster member.
For more information, see Deploy a configuration bundle in the Distributed Search manual.
Avoid bundle replication of streamfwd binary
In a search head cluster environment, the large size of the Splunk_TA_stream
package adds unnecessary overhead to the bundle replication process. To avoid this issue, blacklist the streamfwd
binary in the [replicationBlacklist]
stanza in both Splunk_TA_stream/local/distsearch.conf
and splunk_app_stream/local/distsearch.conf
. For example:
cd $SPLUNK_HOME/etc/apps/splunk_app_stream/local/distsearch.conf [replicationBlacklist] nostreaminstall = apps[/\\]splunk_app_stream[/\\]install[/\\] cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/distsearch.conf [replicationBlacklist] nostreamta1 = apps[/\\]Splunk_TA_stream[/\\]linux nostreamta2 = apps[/\\]Splunk_TA_stream[/\\]darwin nostreamta3 = apps[/\\]Splunk_TA_stream[/\\]windows
Note: The distsearch.conf
file is not included with Splunk App for Stream. To set replication blacklist options you must create a new version of distsearch.conf
in both splunk_app_stream/local/
and Splunk_TA_stream/local/
.
For more information, see distsearch.conf in the Splunk Enterprise Admin Manual.
Deploy independent Stream forwarder | Deploy Splunk App for Stream on Splunk Cloud |
This documentation applies to the following versions of Splunk Stream™: 6.6.0, 6.6.1, 6.6.2
Feedback submitted, thanks!