Deploy Splunk Stream on a search head cluster
This topic shows you how to deploy Splunk Stream on a search head cluster (SHC). For more information see, Use the deployer to distribute apps and configuration updates in the Distributed Search manual.
Prerequisites
- Splunk Stream 7.0.0 running on Splunk Enterprise version 6.3.1, 6.4.x, or 6.5.0.
- An pre-existing search head cluster with deployer (outside of the cluster) and a minimum of three search head cluster members.
- KV Store must be enabled on all cluster members. (KV Store is enabled by default on Splunk Enterprise version 6.3.1 and later.)
Step 1. Install Splunk Stream on the deployer
- Use Splunk Web to Install
splunk-stream_700.tgz
onto the deployer in$SPLUNK_HOME/etc/apps
. - Move
splunk_app_stream
andSplunk_TA_stream
toshcluster/apps
.
Note: Splunk_TA_stream
is required on search heads, indexers, and forwarders so that props and transforms stanzas can be applied. To stop data capture on a search head, disable the streamfwd
"Wire Data" modular input.
Step 2. Deploy the configuration bundle to the cluster
Run the splunk apply shcluster-bundle
command on the deployer.
splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
The -target
parameter (required) specifies the URI and management port for any member of the cluster. For example: https://10.0.1.14:8089. Though you specify a single cluster member only, the deployer pushes the URI and management port to all members.
The -auth
parameter specifies credentials for the deployer instance. This pushes everything contained in the shcluster/
directory (including splunk_app_stream
and Splunk_TA_stream
) from the deployer to each search head cluster member.
For more information, see Deploy a configuration bundle in the Distributed Search manual.
Avoid bundle replication of streamfwd binary
In a search head cluster environment, the large size of the Splunk_TA_stream
package adds unnecessary overhead to the bundle replication process. To avoid this issue, blacklist the streamfwd
binary in the [replicationBlacklist]
stanza in both Splunk_TA_stream/local/distsearch.conf
and splunk_app_stream/local/distsearch.conf
. For example:
cd $SPLUNK_HOME/etc/apps/splunk_app_stream/local/distsearch.conf [replicationBlacklist] nostreaminstall = apps[/\\]splunk_app_stream[/\\]install[/\\] cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/distsearch.conf [replicationBlacklist] nostreamta1 = apps[/\\]Splunk_TA_stream[/\\]linux nostreamta2 = apps[/\\]Splunk_TA_stream[/\\]darwin nostreamta3 = apps[/\\]Splunk_TA_stream[/\\]windows
Note: The distsearch.conf
file is not included with Splunk Stream. To set replication blacklist options you must create a new version of distsearch.conf
in both splunk_app_stream/local/
and Splunk_TA_stream/local/
.
For more information, see distsearch.conf in the Splunk Enterprise Admin Manual.
Deploy independent Stream forwarder | Deploy Splunk Stream on Splunk Cloud |
This documentation applies to the following versions of Splunk Stream™: 7.0.0, 7.0.1
Feedback submitted, thanks!