Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Use Stream configuration templates

Stream configuration templates are pre-defined stream configurations that provide specific protocol field mappings for Splunk products. You can apply configuration templates to the streamfwd binary using command line options, which lets you configure data capture, without using splunk_app_stream for configuration management.

Splunk Stream provides configuration templates for these Splunk products:

  • Splunk IT Service Intelligence (ITSI): ITSI configuration templates provide custom protocol fields that map to metrics in Splunk ITSI modules.
  • Enterprise Security (ES): ES configuration templates provides custom protocol fields that map to CIM data models used in Splunk ES.

Activate Stream configuration templates

To activate a Stream configuration template, you must add the configTemplateName=<product name> parameter to streamfwd.conf. You can use streamfwd command options to add this parameter, or manually edit the streamfwd.conf file.

Stream provides the following streamfwd command options to activate, deactivate, or list installed templates:

  -c [TEMPLATE_NAME]           Activate specified product template.
  -c                           Deactivate any active product template.
  --listtemplates              List installed product templates.

For example, to activate the ITSI configuration template:

./streamfwd -c itsi

See Examples.

Only one Stream configuration template can be active at a time.

Examples

Both Splunk_TA_stream and independent streamfwd deployments support configuration templates.

Activate configuration template in Splunk_TA_stream

To activate the itsi configuration template for Splunk_TA_stream:

  1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin.
  2. Run the following command:
    [root@sr-centos2 bin]# ./streamfwd -c itsi
    Configuration Template located at /opt/splunk/etc/apps/Splunk_TA_stream/configs/itsi activated. 
    
  3. Restart Splunk.
  4. Confirm that the configTemplateName = itsi parameter has been added to Splunk_TA_stream/local/streamfwd.conf. For example:
    [streamfwd]
    port = 8889
    ipAddr = 127.0.0.1
    
    configTemplateName = itsi
    

Activate configuration template for independent streamfwd

Independent streamfwd deployments use HTTP Event Collector (HEC) to send data indexers. When activating a configuration template for an independent streamfwd deployment, you must manually add one or more indexer.0.uri = <indexer_location> parameters to specify indexer locations.

To activate the es configuration template for an independent streamfwd deployment:

  1. Go to opt/streamfwd/bin.
  2. Run the following command:
    [root@sr-centos2 bin]# ./streamfwd -c es
    Configuration Template located at /opt/streamfwd/configs/es is activated. 
    
  3. Restart streamfwd.
  4. Add indexer.<N>.uri = <indexer_location> parameters to specify indexer locations. For example:
    [streamfwd]
    port = 8889
    ipAddr = 127.0.0.1
    
    configTemplateName = es
    indexer.0.uri = http://soln-perf110-1:8088
    indexer.1.uri = http://soln-perf11-2:8088
    
Last modified on 27 May, 2017
Ingest pcap files   Splunk Stream test environments

This documentation applies to the following versions of Splunk Stream: 7.1.0, 7.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters