Deploy Splunk Stream on Splunk Cloud
Splunk Stream is certified for deployment on Splunk Cloud. To deploy the app, contact your Splunk Cloud account team. They will evaluate your individual requirements, advise you on the required architecture, and install the app on Splunk Cloud for you.
For more information, see Welcome to Splunk Cloud Platform in the Splunk Cloud Platform Admin Manual.
How Splunk Stream on Splunk Cloud works
You can use
splunk_app_stream installed on a search head in Splunk Cloud to manage jobs on your on-premises Stream forwarders. This includes both Stream forwarder (streamfwd binary) running on
Splunk_TA_stream and independent Stream forwarder deployments. The data that your on-premises Stream forwarders capture is sent to Splunk Cloud indexers.
To enable on-premises Stream forwarders to interact with Splunk Cloud, certain ports must be open to provide access through your network firewall. In general, on-premises Stream forwarders must be able to access Splunk Cloud through port 8443, 9997, and 8088.
Splunk Stream on Splunk Cloud deployment architecture
The following diagram illustrates the basic deployment architecture of Splunk Stream on Splunk Cloud.
The diagram shows an on-premises deployment of
Splunk_TA_stream fetching stream configuration data over API from
splunk_app_stream, and forwarding captured data to Splunk Cloud indexers. It also shows an on-premises deployment of independent Stream forwarder sending captured data via HTTP Event Collector (HEC) to Splunk Cloud indexers. Independent Stream forwarder also fetches stream configurations data over API from
splunk_app_stream (not shown.)
Port and configuration requirements
On-premises Stream forwarders running as part of
Splunk_TA_stream must have access to port 8443 or 443/SSL to fetch their stream configurations over API from
splunk_app_stream running on a search head in Splunk Cloud.
Splunk_TA_stream/local/inputs.conf must specify the location of
splunk_app_stream on the localhost. For example:
[streamfwd://streamfwd] splunk_stream_app_location = https://searchHead:8443/en-us/custom/splunk_app_stream/ stream_forwarder_id = disabled = 0
Stream forwarders running as
Splunk_TA_stream on universal forwarders send captured data to indexers in Splunk Cloud. This requires access to port 9997. For more information, see Overview of getting data into Splunk Cloud in the Splunk Cloud User Manual.
Independent Stream forwarder
Independent Stream forwarder uses HEC to send data to indexers in Splunk Cloud. To ensure that your credentials are never transmitted from your on-premises systems to Splunk Cloud, this feature uses token-based authentication.
Independent Stream forwarder polls
splunk_app_stream to retrieve stream configurations over API using port 8443. Contact Splunk Cloud support to help open ports (typically port 8088 for inbound HEC data) and manage tokens.
For more information, see Add data using HTTP protocol in the Splunk Cloud User Manual.
Deploy Splunk Stream on a search head cluster
Stream Easy Setup
This documentation applies to the following versions of Splunk Stream™: 7.0.0, 7.0.1, 7.1.0, 7.1.1