Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install an Independent Stream Forwarder

An Independent Stream Forwarder (ISF) is a standalone Stream forwarder. An ISF does not require a Splunk Universal Forwarder to collect wire data. Instead, the ISF sends captured network data to Splunk using the HTTP event collector.

The Independent Stream Forwarder is helpful in networks and deployment where a Splunk Universal Forwarder cannot be installed.

Splunk Stream provides a binary code that lets you install Independent Stream Forwarders on compatible Linux machines that can send data to your Splunk Cloud or Splunk Enterprise configuration.

You may want to use an independent Stream forwarder deployment if, for example, you want to capture network data from a Linux host that you are monitoring as part of a network service in a Splunk IT Service Intelligence (ITSI) deployment.

Prerequisites

  • 64-bit Linux only.
  • An existing Splunk Stream 6.5.0 or later deployment.
  • You must configure HTTP event collector (HEC) on indexers to receive data from independent Stream forwarder.

Independent Stream forwarder does not require Universal Forwarder.

  • You must have installed and configured Splunk App for Stream in your Splunk Enterprise or Splunk Cloud configuration.

Install an independent Stream forwarder using curl

Splunk App for Stream (splunk_app_stream) generates a curl script that you can run from the command line to install the forwarder.

  1. In the Splunk App for Stream main menu, click Configuration > Distributed Forwarder Management.
  2. Click Install Stream Forwarder. The Install Stream Forwarder window appears.
  3. Copy the curl script.
  4. SSH into the Linux machine where you want to install the Independent Stream Forwarder.
  5. Run the curl script that you copied from splunk_app_stream. For example:
    curl -sSL http://stream-cont-func02:8000/en-us/custom/splunk_app_stream/install_streamfwd | sudo bash
    
  6. Respond with yes or no at each prompt to download, install, and start the streamfwd binary.


Optionally, you can run the curl script in fully automated mode without prompts:

  1. Run the curl script as shown in step 5 with the following parameters appended: -s -- --accept-defaults. For example:
    curl -sSL http://stream-cont-func02:8000/en-us/custom/splunk_app_stream/install_streamfwd | sudo bash -s -- --accept-defaults
    
  2. Start the streamfwd service.
    sudo service streamfwd start
    
  3. Confirm that the splunk_stream_app_location address is set correctly in /opt/streamfwd/local/inputs.conf.

Enable SSL certificate validation

Enable certificate validation for SSL connections to streamfwd to verify the identity of splunk_app_stream servers.

Enable the HTTP Event Collector to receive data from Stream forwarder

To receive data from an independent Stream forwarder, HTTP event collector (HEC) must be enabled on Splunk indexers. There are two methods for managing HEC configuration for the independent Stream forwarder:

  • Use the default HEC configuration generated by splunk_app_stream on the search head.
  • Manually configure streamfwd.conf on the local Stream forwarder instance.

Enable the default HEC configuration in Splunk Web

When you install Splunk Stream, it automatically generates a default HEC configuration. Independent Stream forwarders receive this default configuration from splunk_app_stream over REST API. Ensure that HEC is enabled for your configuration:

  1. In Splunk App for Stream user interface, click Configuration > Distributed Forwarder Management.
  2. Click Install Stream forwarders.
  3. If the HTTP Event Collector streamfwd token configuration is disabled, click View Configuration. The HTTP event collector page opens.
  4. Click Global Settings.
  5. In the Edit Global Setting modal, click Enabled. This enables the HTTP event collector.
  6. Click Save'.
  7. Enable the streamfwd HTTP Event Collector'" input.

Configure HEC with streamfwd.conf

You can manually configure streamfwd.conf on the Independent Stream Forwarder to specify the HEC token value and indexer URI.

  1. Manually generate the HEC token on the indexer where you want to ingest data.
  2. On the Independent Stream Forwarder instance, open /opt/streamfwd/local/streamfwd.conf
  3. In the [streamfwd] stanza, specify the HEC token value and the indexer URI. By default, the HEC receives data over http on TCP port 8088. Make sure to specify this in the URI.
    [streamfwd]
    httpEventCollectorToken = 6fe91580-2156-4644-8416-8b8d22b197ab
    indexer.<N>.uri = http://idx-01.sv.splunk.com:8088
    

For instructions on generating HEC tokens, see Use HTTP Event Collector in Getting Data In.

HTTP Event Collector is supported for Independent Stream Forwarder only.

Propagate HTTP Event Collector configuration to indexer cluster

HTTP Event Collector must be enabled and have the identical configuration for [httpː//streamfwd] input and SSL configuration on all indexers to which Stream forwarders are sending events.

Note that splunk_app_stream only generates the streamfwd HTTP Event Collector input on the instance on which it is running. To send data to an indexer cluster, copy the [httpː//streamfwd] stanza from splunk_httpinput/local/inputs.conf on a configured instance to the corresponding splunk_httpinput/local/inputs.conf files on all indexers.

[http://streamfwd]
disabled = 0
token = 521F51A6-093C-4954-80F9-47A5445DFBDD

Upgrade independent Stream forwarder

  1. Log in to the Linux machine running the current version of independent Stream forwarder.
  2. Backup your existing Independent Stream Forwarder configuration.
  3. Stop the streamfwd service.
    cd /opt/streamfwd/bin
    sudo service streamfwd stop
    
  4. Run the curl script.
    curl -sSL http://stream-cont-func02:8000/en-us/custom/splunk_app_stream/install_streamfwd | sudo bash
    
  5. Enter [yes] at the prompt to overwrite the existing installation.
    The script overwrites the existing version of the Independent Stream Forwarder with the updated version and retains all existing Stream forwarder configurations in the migration.
  6. Enter [yes] at the prompt to start the streamfwd service.
Last modified on 26 January, 2024
PREVIOUS
Configure Forwarder Parameters in streamfwd.conf
  NEXT
Command line options for the Independent Stream Forwarder

This documentation applies to the following versions of Splunk Stream: 7.3.0, 7.4.0, 8.0.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters