Configure file extraction
To use file extraction, you must map your Splunk Stream deployment to a remote file server. Stream forwarder uses the file server to store extracted files based on the metadata stream definition. For more information, see Use file extraction in the Splunk Stream User Manual.
Map deployment to remote file server
Before you configure file extraction for a metadata stream in
splunk_app_stream, complete the following configuration steps:
1. Set up and mount file server
- If necessary, create a NFS (or similar) file server volume. For more information, see Set up a NFS server.
- On the host machine running the
streamfwdbinary, mount the file server volume. (This applies to both Splunk_TA_stream and independent Stream forwarder deployments.)
2. Add file server parameters to streamfwd.conf
- Add the following parameters to the
fileServerId = <value> fileServerMountPoint = <value>
[streamfwd] fileServerId = 10.140.7.18:/StreamLoad fileServerMountPoint = /streamload
- Restart Splunk.
3. Mount file server on search head
On the search head running
splunk_app_stream, create a mount point. For more information, see Setting up an NFS client.
4. Configure mount point for file server
- In the
splunk_app_streamUI, click Configuration > File Server Mount Points.
- Click Add File Server.
- Specify the File Server and Mount Point. Click Create.
The mount point that you specify in the
splunk_app_streamUI on the search head differs from the mount point that you specify in
Use file extraction
After mapping your Splunk Stream deployment to your remote file server, you are ready to configure file extraction for your metadata streams. For detailed instructions, see Use file extraction in the Splunk Stream User Manual.
Configure Stream forwarder
Configure targeted packet capture
This documentation applies to the following versions of Splunk Stream™: 7.1.2, 7.1.3, 7.2.0