Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk Stream. Click here for the latest version.
Acrobat logo Download topic as PDF

Upgrade Splunk Stream

Upgrade Splunk Stream in Splunk Web

Upgrade Splunk Stream in Splunk Web, as follows:

  1. Open Splunk Enterprise.
  2. In the top left menu, click Manage Apps.
  3. Click Install app from file.
  4. Click Choose file and browse to the latest version of the splunk-stream_<latest_version>.tgz installer file.
  5. Select the Upgrade app checkbox. This overwrites the current version of the app.
  6. Click Upload.
  7. Restart Splunk Enterprise if prompted. This upgrades the following directories:
  • splunk_app_stream in $SPLUNK_HOME/etc/apps.
  • Splunk_TA_stream in $SPLUNK_HOME/etc/apps.
  • Splunk_TA_stream in $SPLUNK_HOME/etc/deployment-apps.

Note: This process does not upgrade Splunk_TA_stream unless the installer package includes a new version of the TA. Otherwise, the installer upgrades splunk_app_stream only.

Manually upgrade Splunk_TA_stream

When you upgrade Splunk Stream, Splunk_TA_stream is automatically upgraded on the server on which Splunk Stream is installed. However, Splunk_TA_stream is not automatically upgraded on universal forwarders. If your Stream deployment includes additional universal forwarders and you are not using the deployment server, you must manually upgrade Splunk_TA_stream on each universal forwarder (or use another mechanism to install the TA, such as Puppet or Chef).

To manually upgrade Splunk_TA_stream to the latest version:

  1. Make a backup of the Splunk_TA_stream directory:
    mv $SPLUNK_HOME/etc/apps/Splunk_TA_stream Splunk_TA_stream.bak
  2. Copy the Splunk_TA_stream directory from the new splunk_app_stream tarball:
    cp -r $TARBALL_DIR/install/Splunk_TA_stream $SPLUNK_HOME/etc/apps/
  3. Copy over the old local configuration directory:
    cp –r Splunk_TA_stream.bak/local $SPLUNK_HOME/etc/apps/Splunk_TA_stream/
  4. Remove temp directory:
    rm –rf Splunk_TA_stream.bak
  5. Restart Splunk.
    cd $SPLUNK_HOME/bin
    ./splunk restart

Verify data forwarding

If the Stream Forwarders fail to send data after upgrade, you may see messages similar to this one:

WARN [139650313393920] (HTTPRequestSender.cpp:1485) stream.SplunkSenderHTTPEventCollector - (#7) TCP connection failed: Connection refused

To resolve this, first verify that the Stream forwarder is correctly configured. Then go to the Stream Forward App and update your HEC configuration:

  1. In the Stream App, open the Distributed Forwarder Management page.
  2. Select "Install Stream Forwarders".
  3. Verify the curl command is the same one running on the Stream Forward App.
  4. Turn off the HEC Autoconfig option.
  5. Update the Endpoint URLs by manually typing in the HEC (HF or Indexer) URL.

Windows installation considerations

Splunk Stream uses the WinPcap driver to capture packets on Windows systems. Due to a flaw in the WinPcap security model, installing Stream on Windows allows all local users to use WinPcap for packet sniffing. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges.

On Windows systems, Splunk Stream supports the Admin role only.

Last modified on 01 April, 2020
Install Splunk Stream
Deploy independent Stream forwarder

This documentation applies to the following versions of Splunk Stream: 7.2.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters