Install Splunk Stream
This topic shows you how to install and upgrade Splunk Stream in both single instance and distributed Splunk Enterprise environments. For an overview of these deployment environments, see Deployment architectures in this manual.
Splunk Stream components
The Splunk Stream install package includes the following components:
- splunk_app_stream: provides configuration management for the
streamfwd
binary. It also provides- Stream forwarder management tools
- Filters for fine-tuning data capture
- Pre-defined streams
- Dashboards for analysis of network events and flow data.
- Splunk_TA_stream provides data ingestion and forwarding capabilities.
Splunk_TA_stream
contains both search and index time props. It is required on indexers for searching and parsing.Splunk_TA_stream
includes the Stream forwarder (streamfwd
) binary.streamfwd
is the core component ofSplunk_TA_stream
and provides passive capture of network data. - Independent Stream forwarder: The Splunk Stream installation package includes the independent Stream forwarder install package
splunkstreamfwd.tgz
. This install package is not deployed withsplunk_app_stream
andSplunk_TA_stream
. Splunk Stream generates acurl
command that you can use to install the independent Stream forwarder on any compatible Linux machine. See Deploy Independent Stream Forwarder in this manual.
Install Splunk Stream on a single instance
You can install Splunk Stream on a single Splunk Enterprise instance. In a single-instance deployment one Splunk Enterprise instance serves as both search head and indexer.
- Go to http://splunkbase.com/app/1809/.
- Click Download. The
splunk-stream_<latest_version>.tgz
installation package downloads to your local host. - Log into Splunk Web.
- Click Manage Apps > Install app from file.
- Upload the
splunk-stream_<latest_version>.tgz
installer file. - Restart Splunk Enterprise, if prompted.
This installssplunk_app_stream
andsplunk_TA_stream
in$SPLUNK_HOME/etc/apps
. - Run the
set_permissions.sh
script to set permissions forSplunk_TA_stream
. For details, see Set Splunk_TA_stream permissions on this page.
Install Splunk Stream in a distributed environment
You can install Splunk Stream in any distributed Splunk Enterprise environment. For information on Splunk Stream distributed deployment architectures, see Distributed deployment in this manual.
Splunk Stream version 6.5.0 and later supports search head clusters. See Deploy Stream on a search head Cluster in this manual.
Install Splunk Stream on search heads
- Go to http://splunkbase.com/app/1809/.
- Click Download. The
splunk-stream_<latest_version>.tgz
installation package downloads to your local host. - Log into Splunk Web.
- Click Manage Apps > Install app from file.
- Upload the
splunk-stream_<latest_version>.tgz
installer file. - Restart Splunk Enterprise (if prompted).
This installssplunk_app_stream
andSplunk_TA_stream
in$SPLUNK_HOME/etc/apps
. It also installs a copy ofSplunk_TA_stream
in$SPLUNK_HOME/etc/deployment-apps
. - Repeat steps 3-6 on all search heads.
Configure deployment server to distribute Splunk_TA_stream to universal forwarders
When you install Splunk Stream on search heads, it installs a copy of Splunk_TA_stream
in the $SPLUNK_HOME/etc/deployment-apps
directory. This is a pre-configured copy of Splunk_TA_stream
that you can deploy to universal forwarders using the deployment server.
For instructions on how to setup the deployment server to distribute Splunk_TA_stream
to universal forwarders, see Plan a deployment in Updating Splunk Enterprise Instances.
Set Splunk_TA_stream permissions
During installation, Stream automatically puts the NIC in promiscuous mode. This requires you to run Splunk_TA_stream
with SUID root permissions.
To set permissions for Splunk_TA_stream
:
On Linux and OSX, run the set_permissions.sh
script in the Splunk_TA_stream
directory, as follows:
cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream sudo chmod +x ./set_permissions.sh sudo ./set_permissions.sh
On Windows, you must either run Splunk Enterprise as Administrator, or install WinPcap as a stand-alone package on the target machine.
Enable SSL certificate validation
You can enable certificate validation for SSL connections to Splunk_TA_stream
to verify the identity of splunk_app_stream
servers. To enable certificate validation, set the appropriate parameters in inputs.conf
:
- Edit
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/inputs.conf
. - Set the following parameters:
sslVerifyServerCert = true * Enables server (splunk_app_stream) certificate validation on client (streamfwd) side. rootCA = <path> * Points to the file name of the root CA certificate file. If the "sslVerifyServerCert" parameter is set to true, "rootCA" must show the full path to the root CA certificate file. If this parameter is left empty or points to a non-existent file, certificate validation does not occur. sslCommonNameToCheck = <commonName> * Allows for overriding common name value to compare against the certificate CN. If this parameter is left blank, the fully qualified host name of the splunk_app_stream server is verified against the CN in the server certificate. For the certificate CN, the following Common Name formats are supported: *.app.splunk.com OR streamapp.app.splunk.com.
Note: If certificate validation is enabled and validation fails either because the certificate is not valid OR because the common names do not match, streamfwd
will not connect to the splunk_app_stream
server.
Configure indexer receiving port for Stream data
- On indexers, go to Settings > Forwarding and Receiving.
- Click Configure Receiving.
- Click New. Enter the receiving port number. For example,
port 9997
. - Click Save.
Manually install Splunk_TA_stream on remote universal forwarders
To collect network data from one or more remote servers without using a deployment server, manually install Splunk_TA_stream
on universal forwarders on each server, as follows:
- Install Splunk Stream as described in Install Splunk Stream in a distributed environment on this page.
This installssplunk_app_stream
andSplunk_TA_stream
in$SPLUNK_HOME/etc/apps
. This also installs a version ofSplunk_TA_stream
in$SPLUNK_HOME/etc/deployment-apps
. - Copy
Splunk_TA_stream
from$SPLUNK_HOME/etc/deployment-apps
into$SPLUNK_HOME/etc/apps
on each universal forwarder. - Verify
Splunk_TA_stream
configuration on each universal forwarder as follows: - Verify that
Splunk_TA_stream/local/inputs.conf
specifies the correct location ofsplunk_app_stream
. For example:[streamfwd://streamfwd] splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/ stream_forwarder_id = disabled = 0
- Verify that
Splunk_TA_stream/local/streamfwd.conf
is configured to collect data from the appropriate network interface.
Note: By defaultstreamfwd.conf
collects data from all network interfaces. For detailedstreamfwd.conf
configuration information, see Configure Stream forwarder in this manual. - Restart Splunk Enterprise.
Install Independent Stream Forwarder
Splunk Stream supports independent Stream forwarder (streamfwd
) installation on compatible Linux machines. For instructions, see Deploy independent Stream forwarder in this manual.
Protocols that map to Splunk CIM | Upgrade Splunk Stream |
This documentation applies to the following versions of Splunk Stream™: 7.2.0
Feedback submitted, thanks!