Install Splunk Stream in a distributed deployment
To deploy Splunk Stream you install three Stream components on your Splunk Enterprise instances and/or compatible Linux machines.
Product name | Installation package name | Installed file name |
---|---|---|
Splunk App for Stream | splunk_app_stream
|
splunk_app_stream/
|
Splunk Add-on for Stream Forwarders | Splunk_TA_stream
|
Splunk_TA_stream/
|
Splunk Add-on for Stream Wire Data | Splunk_TA_stream_wire_data
|
Splunk_TA_stream_wire_data/
|
Splunk Stream also provides Independent Stream Forwarders, which is is packaged as a binary file <streamfwd>
in the Splunk App for Stream package.
For more about Splunk Stream components, see Splunk Stream installation package overview in this manual.
Install Splunk App for Stream on search heads
- Go to http://splunkbase.splunk.com/app/1809.
- Click Download. The installation package downloads to your local host.
- Log into Splunk Web.
- Go to the command line and untar the installation file to
SPLUNK_HOME/etc/apps/
. - Restart Splunk Enterprise, if prompted. This installs the Splunk App for Stream (
Splunk_app_stream
) in$SPLUNK_HOME/etc/apps
.
Install the Splunk Add-on for Stream Wire Data
Install the Splunk Add-on for Stream Wire Data on search heads and indexers.
- http://splunkbase.com/app/5234.
- Click Download. The installation package downloads to your local host.
- Log into Splunk Web.
- Click Manage Apps > Install app from file.
- Upload the installer file.
- Restart Splunk Enterprise if prompted.
Use the deployment server to distribute the Splunk Add-on for Stream Forwarders
- Go to http://splunkbase.com/app/5238.
- Click Download. The installation package downloads to your local host.
- Log into Splunk Web.
- Go to the command line and untar the installation package to
SPLUNK_HOME/etc/apps/
. - Restart Splunk Enterprise, if prompted. This installs the Splunk Add-on for Stream Forwarder (
Splunk_TA_stream
) in the$SPLUNK_HOME/etc/deployment-apps
directory. This is a pre-configured copy of the Splunk Add-on for Stream Forwarder that you can deploy to forwarders using the deployment server. - Set
Splunk_TA_stream
permissions. - On Linux and OSX, run the
set_permissions.sh
script in theSplunk_TA_stream
directory.<class=samplecode>cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream sudo chmod +x ./set_permissions.sh sudo ./set_permissions.sh
- On Windows systems, Splunk Stream supports the Admin role only.
Enable SSL certificate validation
Enable certificate validation for SSL connections to Splunk_TA_stream
to verify the identity of splunk_app_stream
servers. To enable certificate validation, edit the parameters in inputs.conf
.
- Edit
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/inputs.conf
to set the following parameters:sslVerifyServerCert = true
Enables the server (splunk_app_stream) certificate validation on the client (streamfwd) side.rootCA = <path>
: Points to the file name of the root CA certificate file.sslCommonNameToCheck = <commonName>
: Allows for overriding common name value to compare against the certificate CN.
Configure the indexer receiving port for Stream data
- On the indexers tab, go to Settings > Forwarding and Receiving.
- Click Configure Receiving.
- Click New.
- Enter the receiving port number. For example, port 9997.
- Click Save.
Install and configure Independent Stream Forwarders
To configure an Independent Stream Forwarder to work with your configuration, see Install an Independent Stream Forwarder in this manual.
Stream Easy Setup
Splunk Stream provides an Easy Setup page that can help you set up and configure data collection on local and remote machines.
Set up data collection on local machine
Select the Collect data from this machine using Wire Data check box.
- If you see "Splunk_TA_stream is not properly configured," click Redetect. In most cases, this sets proper permissions for the the
streamfwd
binary to capture packets on network interfaces. - If you still see "Splunk_TA_stream is not properly configured," follow these Steps to Troubleshoot:
- Click Check Wire Data Input. This opens the Wire Data data input page.
- Click on streamfwd to check the data input.
- Click Save to validate the input.
- Click the Splunk_TA_stream log file. Examine the search results for errors.
- If you are still unable to configure
Splunk_TA_stream
, click the Learn More link. This takes you to documentation that shows how to set proper permissions forSplunk_TA_stream
.
Set up data collection on remote machines
1. Check Collect data from other machines.
- If you see "HTTP Event Collector streamfwd token configuration has been enabled," then the HTTP Event Collector endpoint is configured to receive data. Proceed to step 2.
- If you see "HTTP Event Collector streamfwd token configuration has been disabled," click View Configuration. This opens the HTTP Event Collector page. Click Enable for the streamfwd input to enable the HTTP Event Collector for streamfwd data input.
2. Copy and run the provided curl script on the command line of the Linux machine where you want to install streamfwd
.
The script installs Stream Forwarder streamfwd
in /opt/streamfwd
.
3. Use the sudo service streamfwd start | stop | restart | status
command to control the service.
For example:
sudo service streamfwd start
Note: Independent Stream Forwarder installation is not required. You can deploy an Independent Stream Forwarder at anytime from the Distributed Forwarder Management page in the splunk_app_stream
UI.
For detailed information on Stream forwarder configuration, see: Configure Stream forwarder in this manual.
Distributed deployment installation and configuration overview | Migrate Splunk Stream in a distributed deployment |
This documentation applies to the following versions of Splunk Stream™: 7.3.0, 7.4.0, 8.0.0
Feedback submitted, thanks!