Network collection architectures
Splunk Stream requires installation of universal forwarders and
Splunk_TA_stream on your network at the location(s) where you want to capture network data. To determine the best location for these components, consider the topology and organization of your network and the tools available.
Before you deploy Stream:
- Review the network (or network segment) that contains the hosts you want to monitor.
- Review the network collection architectures (below) and determine the best method to capture data.
There are three types of network collection architectures that fit most use cases: local, SPAN, and TAP.
A local collection architecture requires installation of a universal forwarder and
Splunk_TA_stream on each host on the network or network segment that you want to monitor. Local collection is useful, for example, in a subnet environment (such as a multi-tier web site) for capturing data from individual network nodes.
SPAN or TAP collection
A SPAN or TAP collection architecture requires a collection node that listens to all traffic on a network or network segment using a SPAN port or network TAP. The collection node requires installation of a universal forwarder and
Splunk_TA_stream, and is configured as the listener on the SPAN or TAP interface.
This diagram illustrates a distributed Splunk Stream deployment with a SPAN collection architecture:
SPAN architecture considerations
If you are deploying Stream in a SPAN collection architecture, consider the following:
- Can the NIC (network interface card) that receives the mirror data handle the influx of traffic? For example, a 1GB NIC cannot handle the volume of data that comes from a 10GB port.
- Does the SPAN mirror port contain both ingress and egress traffic from all of the ports they are spanning? If yes, then the capacity of the NIC itself is even more important.
- Does the mirror device generate NATed data (in which case the data contains both internal and external (Internet) representations of traffic)?
- What is the volume of source traffic? Depending on the volume of traffic, you might need to make some performance tweaks to ensure that the system behaves as expected.
Pros and Cons of collection architectures
This table shows pros and cons of local, SPAN, and TAP collection architectures:
For more information on network collection methods, see the Splunk blog post Everything you always wanted to know about SPAN ports, Network Taps, Packet Mirrors, and the Splunk App for Stream (but were afraid to ask).
Splunk Stream deployment architectures
Stream data capture configuration basics
This documentation applies to the following versions of Splunk Stream™: 7.1.2, 7.1.3, 7.2.0