Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install Splunk Stream

This topic shows you how to install and upgrade Splunk Stream in both single instance and distributed Splunk Enterprise environments. For an overview of these deployment environments, see Deployment architectures in this manual.

Splunk Stream components

The Splunk Stream install package includes the following components:

  • splunk_app_stream: provides configuration management for the streamfwd binary. It also provides
    • Stream forwarder management tools
    • Filters for fine-tuning data capture
    • Pre-defined streams
    • Dashboards for analysis of network events and flow data.
  • Splunk_TA_stream provides data ingestion and forwarding capabilities. Splunk_TA_stream contains both search and index time props. It is required on indexers for searching and parsing. Splunk_TA_stream includes the Stream forwarder (streamfwd) binary. streamfwd is the core component of Splunk_TA_stream and provides passive capture of network data.
  • Independent Stream forwarder: The Splunk Stream installation package includes the independent Stream forwarder install package splunkstreamfwd.tgz. This install package is not deployed with splunk_app_stream and Splunk_TA_stream. Splunk Stream generates a curl command that you can use to install the independent Stream forwarder on any compatible Linux machine. See Deploy Independent Stream Forwarder in this manual.

Install Splunk Stream on a single instance

You can install Splunk Stream on a single Splunk Enterprise instance. In a single-instance deployment one Splunk Enterprise instance serves as both search head and indexer.

  1. Go to http://splunkbase.com/app/1809/.
  2. Click Download. The splunk-stream_<latest_version>.tgz installation package downloads to your local host.
  3. Log into Splunk Web.
  4. Click Manage Apps > Install app from file.
  5. Upload the splunk-stream_<latest_version>.tgz installer file.
  6. Restart Splunk Enterprise, if prompted.
    This installs splunk_app_stream and splunk_TA_stream in $SPLUNK_HOME/etc/apps.
  7. Run the set_permissions.sh script to set permissions for Splunk_TA_stream. For details, see Set Splunk_TA_stream permissions on this page.

Install Splunk Stream in a distributed environment

You can install Splunk Stream in any distributed Splunk Enterprise environment. For information on Splunk Stream distributed deployment architectures, see Distributed deployment in this manual.

Splunk Stream version 6.5.0 and later supports search head clusters. See Deploy Stream on a search head Cluster in this manual.

Install Splunk Stream on search heads

  1. Go to http://splunkbase.com/app/1809/.
  2. Click Download. The splunk-stream_<latest_version>.tgz installation package downloads to your local host.
  3. Log into Splunk Web.
  4. Click Manage Apps > Install app from file.
  5. Upload the splunk-stream_<latest_version>.tgz installer file.
  6. Restart Splunk Enterprise (if prompted).
    This installs splunk_app_stream and Splunk_TA_stream in $SPLUNK_HOME/etc/apps. It also installs a copy of Splunk_TA_stream in $SPLUNK_HOME/etc/deployment-apps.
  7. Repeat steps 3-6 on all search heads.

Configure deployment server to distribute Splunk_TA_stream to universal forwarders

When you install Splunk Stream on search heads, it installs a copy of Splunk_TA_stream in the $SPLUNK_HOME/etc/deployment-apps directory. This is a pre-configured copy of Splunk_TA_stream that you can deploy to universal forwarders using the deployment server.

For instructions on how to setup the deployment server to distribute Splunk_TA_stream to universal forwarders, see Plan a deployment in Updating Splunk Enterprise Instances.

Set Splunk_TA_stream permissions

During installation, Stream automatically puts the NIC in promiscuous mode. This requires you to run Splunk_TA_stream with SUID root permissions.

To set permissions for Splunk_TA_stream:

On Linux and OSX, run the set_permissions.sh script in the Splunk_TA_stream directory, as follows: 

cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
sudo chmod +x ./set_permissions.sh
sudo ./set_permissions.sh

On Windows, you must either run Splunk Enterprise as Administrator, or install WinPcap as a stand-alone package on the target machine.

Enable SSL certificate validation

You can enable certificate validation for SSL connections to Splunk_TA_stream to verify the identity of splunk_app_stream servers. To enable certificate validation, set the appropriate parameters in inputs.conf:

  1. Edit $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/inputs.conf.
  2. Set the following parameters:
sslVerifyServerCert = true
* Enables server (splunk_app_stream) certificate validation on client (streamfwd) side.

rootCA = <path>
* Points to the file name of the root CA certificate file. If the "sslVerifyServerCert" parameter 
  is set to true, "rootCA" must show the full path to the root CA certificate file. If this 
  parameter is left empty or points to a non-existent file, certificate validation does not occur.

sslCommonNameToCheck = <commonName>
* Allows for overriding common name value to compare against the certificate CN. If this
  parameter is left blank, the fully qualified host name of the splunk_app_stream server is 
  verified against the CN in the server certificate. For the certificate CN, the following 
  Common Name formats are supported: *.app.splunk.com OR streamapp.app.splunk.com.

Note: If certificate validation is enabled and validation fails either because the certificate is not valid OR because the common names do not match, streamfwd will not connect to the splunk_app_stream server.

Configure indexer receiving port for Stream data

  1. On indexers, go to Settings > Forwarding and Receiving.
  2. Click Configure Receiving.
  3. Click New. Enter the receiving port number. For example, port 9997.
  4. Click Save.

Manually install Splunk_TA_stream on remote universal forwarders

To collect network data from one or more remote servers without using a deployment server, manually install Splunk_TA_stream on universal forwarders on each server, as follows:

  1. Install Splunk Stream as described in Install Splunk Stream in a distributed environment on this page.
    This installs splunk_app_stream and Splunk_TA_stream in $SPLUNK_HOME/etc/apps. This also installs a version of Splunk_TA_stream in $SPLUNK_HOME/etc/deployment-apps.
  2. Copy Splunk_TA_stream from $SPLUNK_HOME/etc/deployment-apps into $SPLUNK_HOME/etc/apps on each universal forwarder.
  3. Verify Splunk_TA_stream configuration on each universal forwarder as follows:
    1. Verify that Splunk_TA_stream/local/inputs.conf specifies the correct location of splunk_app_stream. For example: 
      [streamfwd://streamfwd]
splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id = 
disabled = 0
    2. Verify that Splunk_TA_stream/local/streamfwd.conf is configured to collect data from the appropriate network interface.
      Note: By default streamfwd.conf collects data from all network interfaces. For detailed streamfwd.conf configuration information, see Configure Stream forwarder in this manual.
  4. Restart Splunk Enterprise.

Install Independent Stream Forwarder

Splunk Stream supports independent Stream forwarder (streamfwd) installation on compatible Linux machines. For instructions, see Deploy independent Stream forwarder in this manual.

Last modified on 14 September, 2020
PREVIOUS
Protocols that map to Splunk CIM 		  NEXT
Upgrade Splunk Stream

This documentation applies to the following versions of Splunk Stream: 7.2.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters