Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Deploy Splunk Stream on a search head cluster

This topic shows you how to deploy Splunk Stream on a search head cluster (SHC). For more information see, Use the deployer to distribute apps and configuration updates in Distributed Search.

Prerequisites

Before you deploy Splunk Stream to a search head cluster, make sure your Splunk Enterprise deployment includes:

  • An existing search head cluster, including a minimum of 3 search heads, any number of search peers (indexers), and a deployer server (outside the cluster). See Deploy a search head cluster in the Distributed Search manual.

Step 1. Install Splunk Stream on the deployer

  1. Use Splunk Web to Install splunk-stream_<latest_version>.tgz onto the deployer in $SPLUNK_HOME/etc/apps.
  2. Move splunk_app_stream and Splunk_TA_stream to the configuration bundle at $SPLUNK_HOME/etc/shcluster/apps.

For information on the structure of the configuration bundle, see Where to place the configuration bundle on the deployer in Distributed Search.

Splunk_TA_stream is required on search heads, indexers, and forwarders so that props and transforms stanzas can be applied. To stop data capture on a search head, disable the streamfwd "Wire Data" modular input.

Step 2. Deploy the configuration bundle to the cluster

Run the splunk apply shcluster-bundle command on the deployer. 

splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>

The -target parameter (required) specifies the URI and management port for any member of the cluster. For example: https://10.0.1.14:8089. Though you specify a single cluster member only, the deployer pushes the URI and management port to all members.

The -auth parameter specifies credentials for the deployer instance. This pushes everything contained in the shcluster/ directory (including splunk_app_stream and Splunk_TA_stream) from the deployer to each search head cluster member.

For more information, see Deploy a configuration bundle in the Distributed Search manual.

Upgrade Splunk Stream in a search head cluster

To upgrade Splunk Stream on a search head cluster, follow the same steps that you used to deploy Splunk Stream on the search head cluster initially. See Deploy Stream on a search head cluster.

When you move the updated version of the app to the configuration bundle, you overwrite the existing version of the app.

For more information on app upgrades in a search head cluster, see Use the deployer to distribute apps and configuration updates in Distributed Search.

Last modified on 02 September, 2017
Deploy independent Stream forwarder   Deploy Splunk Stream on Splunk Cloud

This documentation applies to the following versions of Splunk Stream: 7.1.0, 7.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters