Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Configure Stream forwarder

After you install your Splunk Stream Forwarder, you configure it to forward data to you Spunk Stream deployment:

Provide the Splunk Add-on for Stream Forwarders with the location of your Splunk App for Stream installation

Before you set up stream data capture, configure Splunk_TA_stream/local/inputs.confto communicate with the Splunk App for Stream. Your Stream forwarders use this location to retrieve the stream capture configurations, including protocols, fields, and aggregation types, that you define in the Configure Streams UI.


  1. Open $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/inputs.conf.
  2. Confirm that the [streamfwd://streamfwd] stanza contains the correct location (URI) of your splunk_app_stream installation. For search head clusters, the address for this can be a single URL that is either a load balancer with sticky sessions or a single member of the SHC.
    [streamfwd://streamfwd]
    splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/
    disabled = 0
    

For more information, see How Splunk_TA_stream communicates with splunk_app_stream in this manual.

Note: The splunk_app_stream URI supports http and https protocols. If you enable SSL, you must change the URI path to specify https. If you change the http port, you must change the URI path to specify the new port.

Configure the Stream forwarder identifier

When using a deployment server, if you set or modify the stream_forwarder_id of a Stream forwarder while a process is running, you must restart the universal forwarder for the changes to apply to the stream_forwarder_id.

You can also use the stream_forwarder_id to manage distributed stream forwarder instances. For more information, see Distributed forwarder management.

Enable SSL certificate validation

Enable certificate validation for SSL connections to Splunk_TA_stream to verify the identity of splunk_app_stream servers. To enable certificate validation, edit the parameters in inputs.conf.

  1. Open to edit $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/inputs.conf.
  2. Set the following parameters:
    • sslVerifyServerCert = true: Enables server (splunk_app_stream) certificate validation on the client( streamfwd) side.
    • rootCA = <path>: Points to the file name of the root CA certificate file. If the sslVerifyServerCert parameter is set to true, rootCA must show the full path to the root CA certificate file. If this parameter is left empty or points to a non-existent file, certificate validation does not occur.
    • sslCommonNameToCheck = <commonName>: This lets you override the common name value to compare against the certificate CN. If this parameter is left blank, the fully qualified host name of the splunk_app_stream server is verified against the CN in the server certificate. For the certificate CN, the Common Name formats *.app.splunk.com or streamapp.app.splunk.com are supported. If certificate validation is enabled and validation fails because the certificate is not valid or because the common names do not match, streamfwd does not connect to the splunk_app_stream server.
    Configure the indexer receiving port for Splunk Stream data.
  1. On the indexers tab, go to Settings > Forwarding and Receiving.
  2. Click Configure Receiving.
  3. Click New.
  4. Enter the receiving port number. For example, port 9997.
  5. Click Save.
Last modified on 17 September, 2020
PREVIOUS
Upgrade the Splunk Add-on for Stream Forwarders
  NEXT
Configure Forwarder Parameters in streamfwd.conf

This documentation applies to the following versions of Splunk Stream: 7.3.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters