Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk Stream. Click here for the latest version.
Acrobat logo Download topic as PDF

Deploy Splunk Stream on Splunk Cloud

Splunk Stream is certified for deployment on Splunk Cloud. To deploy the app, contact your Splunk Cloud account team. They will evaluate your individual requirements, advise you on the required architecture, and install the app on Splunk Cloud for you.

For more information, see Welcome to Splunk Cloud Platform in the Splunk Cloud Platform Admin Manual.

How Splunk Stream on Splunk Cloud works

You can use splunk_app_stream installed on a search head in Splunk Cloud to manage jobs on your on-premises Stream forwarders. This includes both Stream forwarder (streamfwd binary) running on Splunk_TA_stream and independent Stream forwarder deployments. The data that your on-premises Stream forwarders capture is sent to Splunk Cloud indexers.

To enable on-premises Stream forwarders to interact with Splunk Cloud, certain ports must be open to provide access through your network firewall. In general, on-premises Stream forwarders must be able to access Splunk Cloud through port 8443, 9997, and 8088.

Splunk Stream on Splunk Cloud deployment architecture

The following diagram illustrates the basic deployment architecture of Splunk Stream on Splunk Cloud.

The diagram shows an on-premises deployment of Splunk_TA_stream fetching stream configuration data over API from splunk_app_stream, and forwarding captured data to Splunk Cloud indexers. It also shows an on-premises deployment of independent Stream forwarder sending captured data via HTTP Event Collector (HEC) to Splunk Cloud indexers. Independent Stream forwarder also fetches stream configurations data over API from splunk_app_stream (not shown.)

Stream on cloud arch.1.png

Port and configuration requirements


On-premises Stream forwarders running as part of Splunk_TA_stream must have access to port 8443 or 443/SSL to fetch their stream configurations over API from splunk_app_stream running on a search head in Splunk Cloud.

In addition, Splunk_TA_stream/local/inputs.conf must specify the location of splunk_app_stream on the localhost. For example:

splunk_stream_app_location = https://searchHead:8443/en-us/custom/splunk_app_stream/
stream_forwarder_id = 
disabled = 0

Stream forwarders running as Splunk_TA_stream on universal forwarders send captured data to indexers in Splunk Cloud. This requires access to port 9997. For more information, see Overview of getting data into Splunk Cloud in the Splunk Cloud User Manual.

Independent Stream forwarder

Independent Stream forwarder uses HEC to send data to indexers in Splunk Cloud. To ensure that your credentials are never transmitted from your on-premises systems to Splunk Cloud, this feature uses token-based authentication.

Independent Stream forwarder polls splunk_app_stream to retrieve stream configurations over API using port 8443. Contact Splunk Cloud support to help open ports (typically port 8088 for inbound HEC data) and manage tokens.

For more information, see Add data using HTTP protocol in the Splunk Cloud User Manual.

Last modified on 09 August, 2021
Deploy Splunk Stream on a search head cluster
Stream Easy Setup

This documentation applies to the following versions of Splunk Stream: 7.0.0, 7.0.1, 7.1.0, 7.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters