Configure Stream forwarder
After you install your Splunk Stream Forwarder, you configure it to forward data to your Splunk Stream deployment:
- Provide the Splunk Add-on for Stream Forwarders with the location of your Splunk App for Stream installation.
- Configure your local Stream Forwarders to specify data capture parameters.
- Configure parameters for
streamfwd.conf
Provide the Splunk Add-on for Stream Forwarders with the location of your Splunk App for Stream installation
Before you set up stream data capture, configure Splunk_TA_stream/local/inputs.conf
to communicate with the Splunk App for Stream. Your Stream forwarders use this location to retrieve the stream capture configurations, including protocols, fields, and aggregation types, that you define in the Configure Streams UI.
- Open
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/inputs.conf
. - Confirm that the
[streamfwd://streamfwd]
stanza contains the correct location (URI) of yoursplunk_app_stream
installation. For search head clusters, the address for this can be a single URL that is either a load balancer with sticky sessions or a single member of the SHC.[streamfwd://streamfwd] splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/ disabled = 0
For more information, see How Splunk_TA_stream communicates with splunk_app_stream in this manual.
Note: The splunk_app_stream
URI supports http
and https
protocols. If you enable SSL, you must change the URI path to specify https
. If you change the http port, you must change the URI path to specify the new port.
Configure the Stream forwarder identifier
When using a deployment server, if you set or modify the stream_forwarder_id
of a Stream forwarder while a process is running, you must restart the universal forwarder for the changes to apply to the stream_forwarder_id
.
You can also use the stream_forwarder_id
to manage distributed stream forwarder instances. For more information, see Distributed forwarder management.
Enable SSL certificate validation
Enable certificate validation for SSL connections to Splunk_TA_stream
to verify the identity of splunk_app_stream
servers. To enable certificate validation, edit the parameters in inputs.conf
.
- Open to edit
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/inputs.conf
. - Set the following parameters:
sslVerifyServerCert = true
: Enables server (splunk_app_stream
) certificate validation on the client(streamfwd
) side.rootCA = <path>
: Points to the file name of the root CA certificate file. If thesslVerifyServerCert
parameter is set to true,rootCA
must show the full path to the root CA certificate file. If this parameter is left empty or points to a non-existent file, certificate validation does not occur.sslCommonNameToCheck = <commonName>
: This lets you override the common name value to compare against the certificate CN. If this parameter is left blank, the fully qualified host name of thesplunk_app_stream
server is verified against the CN in the server certificate. For the certificate CN, the Common Name formats*.app.splunk.com
orstreamapp.app.splunk.com
are supported. If certificate validation is enabled and validation fails because the certificate is not valid or because the common names do not match,streamfwd
does not connect to thesplunk_app_stream
server.
-
Configure the indexer receiving port for Splunk Stream data.
- On the indexers tab, go to Settings > Forwarding and Receiving.
- Click Configure Receiving.
- Click New.
- Enter the receiving port number. For example, port 9997.
- Click Save.
Upgrade the Splunk Add-on for Stream Forwarders | Configure Forwarder Parameters in streamfwd.conf |
This documentation applies to the following versions of Splunk Stream™: 7.3.0, 7.4.0, 8.0.0
Feedback submitted, thanks!