Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Use Stream configuration templates

Stream configuration templates are pre-defined stream configurations that provide specific protocol field mappings for Splunk products. You can apply configuration templates to the streamfwd binary using command line options, which let you configure data capture, without using the Configure Streams UI in splunk_app_stream for configuration management.

Splunk Stream provides configuration templates for these Splunk products:

  • Splunk IT Service Intelligence (ITSI): ITSI configuration templates provide custom protocol fields that map to metrics in Splunk ITSI modules.
  • Enterprise Security (ES): ES configuration templates provides custom protocol fields that map to CIM data models used in Splunk ES.

Activate Stream configuration templates

To activate/deactivate a template, use these streamfwd command line options: 

  -c [TEMPLATE_NAME]           Activate specified product template.
  -c                           Deactivate any active product template.
  --listtemplates              List installed product templates.

Examples

Both Splunk_TA_stream and independent streamfwd deployments support configuration templates.

Activate configuration template in Splunk_TA_stream

To activate the itsi configuration template for Splunk_TA_stream:

  1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin.
  2. Run the following command: 
    [root@sr-centos2 bin]# ./streamfwd -c itsi
Configuration Template located at /opt/splunk/etc/apps/Splunk_TA_stream/configs/itsi activated.
  3. Restart Splunk.
  4. Confirm that the configTemplateName = itsi parameter has been added to Splunk_TA_stream/local/streamfwd.conf. For example: 
    [streamfwd]
port = 8889
ipAddr = 127.0.0.1

configTemplateName = itsi

Activate configuration template for independent streamfwd

Independent streamfwd deployments use HTTP Event Collector (HEC) to send data indexers. When activating a configuration template for an independent streamfwd deployment, you must manually add one or more indexer.0.uri = <indexer_location> parameters to specify indexer locations.

To activate the es configuration template for an independent streamfwd deployment:

  1. Go to opt/streamfwd/bin.
  2. Run the following command: 
    [root@sr-centos2 bin]# ./streamfwd -c es
Configuration Template located at /opt/streamfwd/configs/es is activated.
  3. Restart streamfwd.
  4. Add indexer.<N>.uri = <indexer_location> parameters to specify indexer locations. For example: 
    [streamfwd]
port = 8889
ipAddr = 127.0.0.1

configTemplateName = es
indexer.0.uri = http://soln-perf110-1:8088
indexer.1.uri = http://soln-perf11-2:8088
Last modified on 15 March, 2017
Ingest pcap files   Splunk Stream test environments

This documentation applies to the following versions of Splunk Stream: 7.0.0, 7.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters