Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Install Splunk Stream

Splunk Stream can be deployed into:

For an overview of these deployment environments, see Deployment architectures in this manual.

Splunk Stream components

The Splunk Stream install package includes the following components:

  • Splunk App for Stream
    • Provides tools for configuration management.
    • Contains the independent Stream forwarder install package splunkstreamfwd.tgz. Splunk App for Stream generates a curl command that you use to install the independent Stream forwarder on any compatible Linux machine. See Deploy Independent Stream Forwarder in this manual.
    • Provides tools for managing your Stream Forwarders
    • Provides filters you use for fine-tuning data capture
    • Provides pre-defined stream templates
    • Provides Dashboards that help you analyze network events and flow data
    • Generates a curl command that you can use to install the independent Stream forwarder on any compatible Linux machine. See Deploy Independent Stream Forwarder in this manual.
  • Splunk Add-on for Stream Forwarders
    • Installed on Splunk Universal Forwarders
    • Provides package capture, protocol decoding and metadata extraction
    • Forwards data through Universal Forwarder to Splunk Indexer
  • Splunk Add-on for Stream Wire Data
    • Contains both search and index time props and transforms
    • Required on all Search Heads and Indexers, or wherever index parsing is performed
    • Provides Search Knowledge Objects and CIM compatibility

Install Splunk Stream on a single instance

In a single-instance deployment, one Splunk Enterprise instance serves as both the search head and the indexer.

  1. Go to http://splunkbase.com/app/1809/.
  2. Click Download. The splunk-stream_<latest_version>.tgz installation package downloads to your local host.
  3. Log into Splunk Web.
  4. Click Manage Apps > Install app from file.
  5. Upload the splunk-stream_<latest_version>.tgz installer file.
  6. Restart Splunk Enterprise, if prompted.
    This installs splunk_app_stream and splunk_TA_stream in $SPLUNK_HOME/etc/apps.
  7. Run the set_permissions.sh script to set permissions for Splunk_TA_stream.

Install Splunk Stream in a distributed environment

You can install Splunk Stream in any distributed Splunk Enterprise environment. For information on Splunk Stream distributed deployment architectures, see Distributed deployment in this manual.

Splunk Stream version 6.5.0 and later supports search head clusters. See Deploy Stream on a search head Cluster in this manual.

Install Splunk Stream on search heads

  1. Go to http://splunkbase.com/app/1809/.
  2. Click Download. The splunk-stream_<latest_version>.tgz installation package downloads to your local host.
  3. Log into Splunk Web.
  4. Click Manage Apps > Install app from file.
  5. Upload the splunk-stream_<latest_version>.tgz installer file.
  6. Restart Splunk Enterprise (if prompted).
    This installs splunk_app_stream and Splunk_TA_stream in $SPLUNK_HOME/etc/apps. It also installs a copy of Splunk_TA_stream in $SPLUNK_HOME/etc/deployment-apps.
  7. Repeat steps 3-6 on all search heads.

Configure deployment server to distribute Splunk_TA_stream to universal forwarders

When you install Splunk Stream on search heads, it installs a copy of Splunk_TA_stream in the $SPLUNK_HOME/etc/deployment-apps directory. This is a pre-configured copy of Splunk_TA_stream that you can deploy to universal forwarders using the deployment server.

For instructions on how to setup the deployment server to distribute Splunk_TA_stream to universal forwarders, see Plan a deployment in Updating Splunk Enterprise Instances.

Set Splunk_TA_stream permissions

During installation, Stream automatically puts the NIC in promiscuous mode. This requires you to run Splunk_TA_stream with SUID root permissions.

To set permissions for Splunk_TA_stream:

On Linux and OSX, run the set_permissions.sh script in the Splunk_TA_stream directory, as follows:

cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
sudo chmod +x ./set_permissions.sh
sudo ./set_permissions.sh

On Windows, you must either run Splunk Enterprise as Administrator, or install WinPcap as a stand-alone package on the target machine.

Enable SSL certificate validation

You can enable certificate validation for SSL connections to Splunk_TA_stream to verify the identity of splunk_app_stream servers. To enable certificate validation, set the appropriate parameters in inputs.conf:

  1. Edit $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/inputs.conf.
  2. Set the following parameters:
sslVerifyServerCert = true
* Enables server (splunk_app_stream) certificate validation on client (streamfwd) side.

rootCA = <path>
* Points to the file name of the root CA certificate file. If the "sslVerifyServerCert" parameter 
  is set to true, "rootCA" must show the full path to the root CA certificate file. If this 
  parameter is left empty or points to a non-existent file, certificate validation does not occur.

sslCommonNameToCheck = <commonName>
* Allows for overriding common name value to compare against the certificate CN. If this
  parameter is left blank, the fully qualified host name of the splunk_app_stream server is 
  verified against the CN in the server certificate. For the certificate CN, the following 
  Common Name formats are supported: *.app.splunk.com OR streamapp.app.splunk.com.

Note: If certificate validation is enabled and validation fails either because the certificate is not valid OR because the common names do not match, streamfwd will not connect to the splunk_app_stream server.

Configure indexer receiving port for Stream data

  1. On indexers, go to Settings > Forwarding and Receiving.
  2. Click Configure Receiving.
  3. Click New. Enter the receiving port number. For example, port 9997.
  4. Click Save.

Manually install Splunk_TA_stream on remote universal forwarders

To collect network data from one or more remote servers without using a deployment server, manually install Splunk_TA_stream on universal forwarders on each server, as follows:

  1. Install Splunk Stream as described in Install Splunk Stream in a distributed environment on this page.
    This installs splunk_app_stream and Splunk_TA_stream in $SPLUNK_HOME/etc/apps. This also installs a version of Splunk_TA_stream in $SPLUNK_HOME/etc/deployment-apps.
  2. Copy Splunk_TA_stream from $SPLUNK_HOME/etc/deployment-apps into $SPLUNK_HOME/etc/apps on each universal forwarder.
  3. Verify Splunk_TA_stream configuration on each universal forwarder as follows:
    1. Verify that Splunk_TA_stream/local/inputs.conf specifies the correct location of splunk_app_stream. For example:
      [streamfwd://streamfwd]
      splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/
      stream_forwarder_id = 
      disabled = 0
      
    2. Verify that Splunk_TA_stream/local/streamfwd.conf is configured to collect data from the appropriate network interface.
      Note: By default streamfwd.conf collects data from all network interfaces. For detailed streamfwd.conf configuration information, see Configure Stream forwarder in this manual.
  4. Restart Splunk Enterprise.

Install Independent Stream Forwarder

Splunk Stream supports independent Stream forwarder (streamfwd) installation on compatible Linux machines. For instructions, see Deploy independent Stream forwarder in this manual.

Last modified on 18 November, 2020
 

This documentation applies to the following versions of Splunk Stream: 7.3.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters