Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Deploy Splunk Stream on a search head cluster

This topic shows you how to deploy Splunk Stream on a search head cluster (SHC). For more information see, Use the deployer to distribute apps and configuration updates in the Distributed Search manual.

Prerequisites

  • Splunk Stream 7.0.0 running on Splunk Enterprise version 6.3.1, 6.4.x, or 6.5.0.
  • An pre-existing search head cluster with deployer (outside of the cluster) and a minimum of three search head cluster members.
  • KV Store must be enabled on all cluster members. (KV Store is enabled by default on Splunk Enterprise version 6.3.1 and later.)

Step 1. Install Splunk Stream on the deployer

  1. Use Splunk Web to Install splunk-stream_700.tgz onto the deployer in $SPLUNK_HOME/etc/apps.
  2. Move splunk_app_stream and Splunk_TA_stream to shcluster/apps.

Note: Splunk_TA_stream is required on search heads, indexers, and forwarders so that props and transforms stanzas can be applied. To stop data capture on a search head, disable the streamfwd "Wire Data" modular input.

Step 2. Deploy the configuration bundle to the cluster

Run the splunk apply shcluster-bundle command on the deployer. 

splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>

The -target parameter (required) specifies the URI and management port for any member of the cluster. For example: https://10.0.1.14:8089. Though you specify a single cluster member only, the deployer pushes the URI and management port to all members.

The -auth parameter specifies credentials for the deployer instance. This pushes everything contained in the shcluster/ directory (including splunk_app_stream and Splunk_TA_stream) from the deployer to each search head cluster member.

For more information, see Deploy a configuration bundle in the Distributed Search manual.

Avoid bundle replication of streamfwd binary

In a search head cluster environment, the large size of the Splunk_TA_stream package adds unnecessary overhead to the bundle replication process. To avoid this issue, blacklist the streamfwd binary in the [replicationBlacklist] stanza in both Splunk_TA_stream/local/distsearch.conf and splunk_app_stream/local/distsearch.conf. For example: 

cd $SPLUNK_HOME/etc/apps/splunk_app_stream/local/distsearch.conf

[replicationBlacklist]
nostreaminstall = apps[/\\]splunk_app_stream[/\\]install[/\\]


cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/distsearch.conf

[replicationBlacklist]
nostreamta1 = apps[/\\]Splunk_TA_stream[/\\]linux
nostreamta2 = apps[/\\]Splunk_TA_stream[/\\]darwin
nostreamta3 = apps[/\\]Splunk_TA_stream[/\\]windows

Note: The distsearch.conf file is not included with Splunk Stream. To set replication blacklist options you must create a new version of distsearch.conf in both splunk_app_stream/local/ and Splunk_TA_stream/local/.

For more information, see distsearch.conf in the Splunk Enterprise Admin Manual.

Last modified on 11 November, 2016
Deploy independent Stream forwarder   Deploy Splunk Stream on Splunk Cloud

This documentation applies to the following versions of Splunk Stream: 7.0.0, 7.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters