Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Deploy Splunk Stream on Splunk Cloud

Splunk Stream is certified for deployment on Splunk Cloud. To deploy Splunk Stream, contact your Splunk Cloud account team. They will evaluate your individual requirements, advise you on the required architecture, and install the app on Splunk Cloud for you.

For more information, see Welcome to Splunk Cloud Platform in the Splunk Cloud Platform Admin Manual.

How Splunk Stream on Splunk Cloud works

You can use splunk_app_stream installed on a search head in Splunk Cloud to manage jobs on your on-premises Stream forwarders. This includes both Stream forwarder (streamfwd binary) running on Splunk_TA_stream and independent Stream forwarder deployments. The data that your on-premise Stream forwarders capture is sent to Splunk Cloud indexers.

To enable on-premises Stream forwarders to interact with Splunk Cloud, certain ports must be open to provide access through your network firewall. In general, on-premises Stream forwarders must be able to access Splunk Cloud through port 8443, 9997, and 8088.

Splunk Stream on Splunk Cloud deployment architecture

The following diagram illustrates the basic deployment architecture of Splunk Stream on Splunk Cloud.

The diagram shows an on-premise deployment of Splunk_TA_stream fetching stream configuration data over API from splunk_app_stream, and forwarding captured data to Splunk Cloud indexers. It also shows an on-premise deployment of independent Stream forwarder sending captured data via HTTP Event Collector (HEC) to Splunk Cloud indexers. Independent Stream forwarder also fetches stream configurations data over API from splunk_app_stream (not shown.)

Stream on cloud arch.1.png

Port and configuration requirements

Splunk_TA_stream

For on-premise Stream forwarders that run as part of Splunk_TA_stream:

  • Provide Splunk_TA_stream/local/inputs.conf with access to port 8443 or 443/SSL to fetch their stream configurations over API from splunk_app_stream running on a search head in Splunk Cloud.
  • For the splunk_stream_app_location attribute in Splunk_TA_stream/local/inputs.conf provide the location of splunk_app_stream on the localhost. For example:
[streamfwd://streamfwd]
splunk_stream_app_location = https://searchHead:8443/en-us/custom/splunk_app_stream/
stream_forwarder_id = 
disabled = 0

Stream forwarders running as Splunk_TA_stream on universal forwarders send captured data to indexers in Splunk Cloud. This requires access to port 9997. For more information, see Overview of getting data into Splunk Cloud in the Splunk Cloud User Manual.

Independent Stream forwarder

Independent Stream forwarder uses HEC to send data to indexers in Splunk Cloud. This feature uses token-based authentication To ensure that your credentials are never transmitted from your on-premises systems to Splunk Cloud, .

Independent Stream forwarder polls splunk_app_stream to retrieve stream configurations over API using port 8443. Contact Splunk Cloud support to help open ports (typically port 8088 for inbound HEC data) and manage tokens.

For more information, see Add data using HTTP protocol in the Splunk Cloud User Manual.

Last modified on 09 August, 2021
PREVIOUS
Deploy Splunk Stream on a search head cluster
  NEXT
Stream Easy Setup

This documentation applies to the following versions of Splunk Stream: 7.1.2, 7.1.3, 7.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters