Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Install Splunk Stream in a distributed deployment

To deploy Splunk Stream you install three Stream components on your Splunk Enterprise instances and/or compatible Linux machines.

Product name Installation package name Installed file name
Splunk App for Stream splunk_app_stream splunk_app_stream/
Splunk Add-on for Stream Forwarders Splunk_TA_stream Splunk_TA_stream/
Splunk Add-on for Stream Wire Data Splunk_TA_stream_wire_data Splunk_TA_stream_wire_data/

Splunk Stream also provides Independent Stream Forwarders, which is is packaged as a binary file <streamfwd> in the Splunk App for Stream package.

For more about Splunk Stream components, see Splunk Stream installation package overview in this manual.

Install Splunk App for Stream on search heads

  1. Go to http://splunkbase.splunk.com/app/1809.
  2. Click Download. The installation package downloads to your local host.
  3. Log into Splunk Web.
  4. Go to the command line and untar the installation file to SPLUNK_HOME/etc/apps/.
  5. Restart Splunk Enterprise, if prompted. This installs the Splunk App for Stream (Splunk_app_stream) in $SPLUNK_HOME/etc/apps.

Install the Splunk Add-on for Stream Wire Data

Install the Splunk Add-on for Stream Wire Data on search heads and indexers.

  1. http://splunkbase.com/app/5234.
  2. Click Download. The installation package downloads to your local host.
  3. Log into Splunk Web.
  4. Click Manage Apps > Install app from file.
  5. Upload the installer file.
  6. Restart Splunk Enterprise if prompted.

Use the deployment server to distribute the Splunk Add-on for Stream Forwarders

  1. Go to http://splunkbase.com/app/5238.
  2. Click Download. The installation package downloads to your local host.
  3. Log into Splunk Web.
  4. Go to the command line and untar the installation package to SPLUNK_HOME/etc/apps/.
  5. Restart Splunk Enterprise, if prompted. This installs the Splunk Add-on for Stream Forwarder (Splunk_TA_stream) in the $SPLUNK_HOME/etc/deployment-apps directory. This is a pre-configured copy of the Splunk Add-on for Stream Forwarder that you can deploy to forwarders using the deployment server.
  6. Set Splunk_TA_stream permissions.
    • On Linux and OSX, run the set_permissions.sh script in the Splunk_TA_stream directory.
      <class=samplecode>
      cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
      sudo chmod +x ./set_permissions.sh
      sudo ./set_permissions.sh
    • Splunk Stream uses the WinPcap driver to capture packets on Windows systems. Due to a flaw in the WinPcap security model, installing Stream on Windows allows all local users to use WinPcap for packet sniffing. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges. On Windows systems, Splunk Stream supports the Admin role only.

Enable SSL certificate validation

Enable certificate validation for SSL connections to Splunk_TA_stream to verify the identity of splunk_app_stream servers. To enable certificate validation, edit the parameters in inputs.conf.

  1. Edit $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/inputs.conf to set the following parameters:
    • sslVerifyServerCert = true Enables the server (splunk_app_stream) certificate validation on the client (streamfwd) side.
    • rootCA = <path>: Points to the file name of the root CA certificate file.
    • sslCommonNameToCheck = <commonName>: Allows for overriding common name value to compare against the certificate CN.

Configure the indexer receiving port for Stream data

  1. On the indexers tab, go to Settings > Forwarding and Receiving.
  2. Click Configure Receiving.
  3. Click New.
  4. Enter the receiving port number. For example, port 9997.
  5. Click Save.


Install and configure Independent Stream Forwarders

To configure an Independent Stream Forwarder to work with your configuration, see Install an Independent Stream Forwarder in this manual.

Stream Easy Setup

Splunk Stream provides an Easy Setup page that can help you set up and configure data collection on local and remote machines.

Set up data collection on local machine

Select the Collect data from this machine using Wire Data check box.

  • If you see "Splunk_TA_stream is not properly configured," click Redetect. In most cases, this sets proper permissions for the the streamfwd binary to capture packets on network interfaces.
  • If you still see "Splunk_TA_stream is not properly configured," follow these Steps to Troubleshoot:
  1. Click Check Wire Data Input. This opens the Wire Data data input page.
  2. Click on streamfwd to check the data input.
  3. Click Save to validate the input.
  4. Click the Splunk_TA_stream log file. Examine the search results for errors.
  5. If you are still unable to configure Splunk_TA_stream, click the Learn More link. This takes you to documentation that shows how to set proper permissions for Splunk_TA_stream.

Easy setup curl command.png

Set up data collection on remote machines

1. Check Collect data from other machines.

  • If you see "HTTP Event Collector streamfwd token configuration has been enabled," then the HTTP Event Collector endpoint is configured to receive data. Proceed to step 2.
  • If you see "HTTP Event Collector streamfwd token configuration has been disabled," click View Configuration. This opens the HTTP Event Collector page. Click Enable for the streamfwd input to enable the HTTP Event Collector for streamfwd data input.

2. Copy and run the provided curl script on the command line of the Linux machine where you want to install streamfwd.

The script installs Stream Forwarder streamfwd in /opt/streamfwd.

3. Use the sudo service streamfwd start | stop | restart | status command to control the service.

For example:

sudo service streamfwd start

Note: Independent Stream Forwarder installation is not required. You can deploy an Independent Stream Forwarder at anytime from the Distributed Forwarder Management page in the splunk_app_stream UI.

For detailed information on Stream forwarder configuration, see: Configure Stream forwarder in this manual.

Last modified on 14 January, 2021
PREVIOUS
Distributed deployment installation and configuration overview
  NEXT
Migrate Splunk Stream in a distributed deployment

This documentation applies to the following versions of Splunk Stream: 7.3.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters