Splunk Stream

Installation and Configuration Manual

Download manual as PDF

This documentation does not apply to the most recent version of StreamApp. Click here for the latest version.
Download topic as PDF

Deploy Splunk Stream on a search head cluster

This topic shows you how to deploy Splunk Stream on a search head cluster (SHC). For more information see, Use the deployer to distribute apps and configuration updates in the Distributed Search manual.

Prerequisites

  • Splunk Stream 7.0.0 running on Splunk Enterprise version 6.3.1, 6.4.x, or 6.5.0.
  • An pre-existing search head cluster with deployer (outside of the cluster) and a minimum of three search head cluster members.
  • KV Store must be enabled on all cluster members. (KV Store is enabled by default on Splunk Enterprise version 6.3.1 and later.)

Step 1. Install Splunk Stream on the deployer

  1. Use Splunk Web to Install splunk-stream_700.tgz onto the deployer in $SPLUNK_HOME/etc/apps.
  2. Move splunk_app_stream and Splunk_TA_stream to shcluster/apps.

Note: Splunk_TA_stream is required on search heads, indexers, and forwarders so that props and transforms stanzas can be applied. To stop data capture on a search head, disable the streamfwd "Wire Data" modular input.

Step 2. Deploy the configuration bundle to the cluster

Run the splunk apply shcluster-bundle command on the deployer.

splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>

The -target parameter (required) specifies the URI and management port for any member of the cluster. For example: https://10.0.1.14:8089. Though you specify a single cluster member only, the deployer pushes the URI and management port to all members.

The -auth parameter specifies credentials for the deployer instance. This pushes everything contained in the shcluster/ directory (including splunk_app_stream and Splunk_TA_stream) from the deployer to each search head cluster member.

For more information, see Deploy a configuration bundle in the Distributed Search manual.

Avoid bundle replication of streamfwd binary

In a search head cluster environment, the large size of the Splunk_TA_stream package adds unnecessary overhead to the bundle replication process. To avoid this issue, blacklist the streamfwd binary in the [replicationBlacklist] stanza in both Splunk_TA_stream/local/distsearch.conf and splunk_app_stream/local/distsearch.conf. For example:

cd $SPLUNK_HOME/etc/apps/splunk_app_stream/local/distsearch.conf

[replicationBlacklist]
nostreaminstall = apps[/\\]splunk_app_stream[/\\]install[/\\]


cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/distsearch.conf

[replicationBlacklist]
nostreamta1 = apps[/\\]Splunk_TA_stream[/\\]linux
nostreamta2 = apps[/\\]Splunk_TA_stream[/\\]darwin
nostreamta3 = apps[/\\]Splunk_TA_stream[/\\]windows

Note: The distsearch.conf file is not included with Splunk Stream. To set replication blacklist options you must create a new version of distsearch.conf in both splunk_app_stream/local/ and Splunk_TA_stream/local/.

For more information, see distsearch.conf in the Splunk Enterprise Admin Manual.

PREVIOUS
Deploy independent Stream forwarder
  NEXT
Deploy Splunk Stream on Splunk Cloud

This documentation applies to the following versions of Splunk Stream: 7.0.0, 7.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters