Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Deploy independent Stream forwarder

Splunk App for Stream supports independent installation of Stream forwarder (streamfwd) on compatible Linux machines. To facilitate independent Stream forwarder installation, Splunk App for Stream generates a curl script that automatically installs Stream Forwarder for you.

Independent Stream forwarder deployment is useful, for example, for capturing network data from Linux hosts that you want to monitor as part of a network service in a Splunk IT Service Intelligence (ITSI) deployment.

  • You must configure HTTP event collector (HEC) on indexers to receive data from independent Stream forwarder.

Independent Stream forwarder does not require Universal Forwarder.

Prerequisites

  • 64-bit Linux (RHEL and Ubuntu) only.
  • An existing Splunk App for Stream 6.5.0 or later deployment.

Install independent Stream forwarder using curl

  1. Go to Configure > Distributed Forwarder Management.
  2. Click Install Stream Forwarder. The Install Stream forwarder window appears.
  3. Copy the curl script.
  4. SSH into the Linux machine where you want to install Stream forwarder.
  5. Run the curl script that you copied from Splunk App for Stream. For example:
    curl -sSL http://stream-cont-func02:8000/en-us/custom/splunk_app_stream/install_streamfwd | sudo bash
    
  6. Enter [yes] at each prompt to download, install, and start the streamfwd binary.


Optionally, you can run the curl script in fully automated mode without prompts:

  1. Run the curl script as shown in step 5 with the following parameters appended: -s -- --accept-defaults. For example:
    curl -sSL http://stream-cont-func02:8000/en-us/custom/splunk_app_stream/install_streamfwd | sudo bash -s -- --accept-defaults
    
  2. Start the streamfwd service. For example:
    sudo service streamfwd start
    

After installation is complete, confirm that the splunk_stream_app_location address is set correctly in /opt/streamfwd/local/inputs.conf.

Enable SSL certificate validation

You can enable certificate validation for SSL connections to streamfwd to verify the identity of splunk_app_stream servers. For more information, see Enable TLS certificate validation in this manual.

Enable HTTP Event Collector to send data to indexers

To send data from an independent Stream Forwarder to indexers, HTTP Event Collector (HEC) must be enabled on the indexer instance(s). HTTP Event Collector is supported for Independent Stream Forwarder only.

  1. In Splunk App for Stream, go to Configuration > Distributed Forwarder Management.
  2. Click Install Stream Forwarders. If the HTTP Event Collector streamfwd token configuration is disabled, click View Configuration. The HTTP event collector page opens.
  3. Click Global Settings.
  4. In the Edit Global Setting modal, click Enabled. This enables the HTTP event collector.
  5. Click Save.
  6. Make sure "streamfwd" HTTP Event Collector input is present and enabled.

Propagate HTTP Event Collector configuration to indexer cluster

HTTP Event Collector must be enabled and have the identical configuration for [httpː//streamfwd] input as well as collector's SSL configuration on all indexers to which Stream Forwarders are sending events. However, Splunk App for Stream can only generate the streamfwd HTTP Event Collector input on the instance on which it is running.

For this reason, if you want to send data to an indexer cluster, you must copy the [httpː//streamfwd] stanza from $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf on the appropriately configured instance, to the corresponding splunk_httpinput/local/inputs.conf files on all indexers.

For example:

[http://streamfwd]
disabled = 0
token = 521F51A6-093C-4954-80F9-47A5445DFBDD

For more information on HTTP Event Collector, see Use HTTP Event Collector in Getting Data In.

Last modified on 25 January, 2018
Install Splunk App for Stream   Deploy Splunk App for Stream on a search head cluster

This documentation applies to the following versions of Splunk Stream: 6.6.0, 6.6.1, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters