Distributed deployment installation and configuration requirements
Make sure you have the following prerequisites before you install Splunk Stream.
For a list of network protocols that Splunk Stream supports, see Supported Protocols in this manual.
Hardware requirements and recommendations
- Make sure that your underlying Splunk Enterprise deployment meets the requirements specified in Introduction to capacity planning for Splunk Enterprise in the Splunk Enterprise Capacity Planning Manual.
- For baseline Splunk Enterprise hardware requirements, see Reference hardware in the Splunk Enterprise Capacity Planning Manual. Depending on the volume of network data that you plan to capture and index, additional resources might be required.
- For information about Splunk Stream performance to help you with capacity planning, see Performance test results and recommendations in this manual.
Supported operating systems
Splunk Stream 7.1.2 and later supports the following operating systems:
- Linux kernel version 3.10 or later(64 bit)
- Red Hat Enterprise Linux 7.0 or later
- CentOS 7.0 or later
- Ubuntu 16.04 or later
Note: Splunk Add-on for Stream Forwarder is supported on 64-bit Linux (RHEL and Ubuntu).
Default Linux kernel settings are not sufficient for high-volume packet capture. Using these settings can cause missing packets and data loss. To avoid this issue, add the following kernel settings to your
# increase kernel buffer sizes for reliable packet capture net.core.rmem_default = 33554432 net.core.rmem_max = 33554432 net.core.netdev_max_backlog = 10000
Then run the following to reload the settings:
- Mac OSX version 10.11 or later.
- Windows Server 2012R2 or later (64-bit)
Splunk Stream supports Local System and Administrator accounts on Windows. For more information, see How the System account is used in Windows.
Splunk Enterprise version requirements
Splunk Stream version 7.3.0 is supported on Splunk Enterprise 8.0. Download Splunk Enterprise.
Splunk Stream 6.2.x and later supports these browsers:
- Chrome (latest)
- Safari (latest)
- Firefox (latest) (version 10.x is not supported)
- Internet Explorer 9 or later. Internet Explorer version 9 is not supported in compatibility mode.
Splunk Stream does not require a separate license. You can install and use Splunk Stream on Splunk Enterprise with a single Splunk Enterprise license.
Splunk Enterprise licenses are based on the amount of data stored by your Splunk indexers per day. For more information, see How Splunk licensing works in the Splunk Enterprise Admin Manual.
Targeted packet capture and file extraction requirements
To use targeted packet capture and file extraction, map your Splunk Stream deployment to a remote file server. For instructions, see Configure targeted packet capture and Configure file extraction in this manual.
Targeted packet capture and file extraction require Splunk Stream version 7.1.0 or later.
- NefFlow data collection requires Splunk Stream version 7.0.0 or later.
- NetFlow Application ID field decoding requires Splunk Stream version 7.2.0 or later.
- NetFlow event timestamp based on NetFlow record flow timestamps requires Splunk Stream version 7.2.0 or later.
To learn more about NetFlow, see Use Splunk Stream to ingest Netflow and IPFIX data.
Install an Independent Stream Forwarder for Splunk Cloud
Distributed deployment installation and configuration overview
This documentation applies to the following versions of Splunk Stream™: 7.3.0