Network collection architectures
Install your universal forwarders and Splunk_TA_stream
on your network at the location(s) where you want to capture network data. To determine the best location for these components, consider the topology and organization of your network and the tools available.
Before you deploy Stream:
- Review the network (or network segment) that contains the hosts you want to monitor.
- Review the network collection architectures (below) and determine the best method to capture data.
There are three types of network collection architectures that fit most use cases:
- local
- SPAN
- TAP
Local collection
A local collection architecture requires that you install a universal forwarder and Splunk_TA_stream
on each host on the network or network segment that you want to monitor. Local collection is useful, for example, in a subnet environment (such as a multi-tier web site) for capturing data from individual network nodes.
You can deploy Splunk_TA_Stream
to forwarders manually or use the Splunk deployment server.
SPAN or TAP collection
A SPAN or TAP collection architecture requires a collection node that listens to all traffic on a network or network segment using a SPAN port or network TAP. Install a universal forwarder and Splunk_TA_stream
, and configure it as the listener on the SPAN or TAP interface.
This diagram illustrates a distributed Splunk Stream deployment with a SPAN collection architecture:
SPAN architecture considerations
If you are deploying Stream in a SPAN collection architecture, consider the following:
- Can the NIC (network interface card) that receives the mirror data handle the influx of traffic? For example, a 1GB NIC cannot handle the data volume from a 10GB port.
- Does the SPAN mirror port contain both ingress and egress traffic from all of the ports they are spanning? If yes, then the capacity of the NIC itself is even more important.
- Does the mirror device generate NATed data (in which case the data contains both internal and external (Internet) representations of traffic)?
- What is the volume of source traffic? Depending on the volume of traffic, you might need to make some performance tweaks to ensure that the system behaves as expected.
Pros and Cons of collection architectures
This table highlights pros and cons of local, SPAN, and TAP collection architectures.
For more information on network collection methods, see the Splunk blog post Everything you always wanted to know about SPAN ports, Network Taps, Packet Mirrors, and the Splunk App for Stream (but were afraid to ask).
Collection type | Pros | Cons |
---|---|---|
Local |
|
|
SPAN |
|
|
TAP |
|
|
Splunk Stream deployment architectures | Stream data capture configuration basics |
This documentation applies to the following versions of Splunk Stream™: 7.1.2, 7.1.3, 7.2.0
Feedback submitted, thanks!