Install and configure forwarders for a Splunk Cloud deployment
To deploy Splunk Stream on Splunk Cloud, contact your Splunk Cloud account team. Once you account team has configured your Splunk Cloud deployment, you can install forwarders to send data to your Cloud configuration:
- Configure on-premise Splunk Stream forwarders to manage jobs or to capture data and send it the to Splunk Cloud indexers.
- Configure an Independent Stream Forwarder deployment to use HEC to send data from a forwarder to your Splunk Cloud indexers.
Install Splunk Add-on for Stream Forwarder
For on-premise Splunk Add-on for Stream Forwarders you install and configure
- Go to http://splunkbase.com/app/5238
- Download the Splunk Add-on for Stream and unpack the
- Place the resulting
Splunk_TA_streamfolder in the
$SPLUNK_HOME/etc/appsdirectory on your forwarder.
- Make sure that your forwarder has access to the search head and port number. If you do not have this information, you can speak to your Splunk Cloud account team. The data is fetched from the Splunk App for Stream (
splunk_app_stream) package that was configured as part of your Managed Splunk Cloud configuration.
- If you are running Stream on Linux or OSX, run the
set_permissions.shscript in the Splunk_TA_stream directory.
cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream sudo chmod +x ./set_permissions.sh sudo ./set_permissions.sh
- Edit the
splunk_stream_app_locationattribute to provide the location of the
splunk_app_streampackage that was configured as part of your managed Splunk Cloud configuration. In this example we provide the forwarder with access to port 8443 or 443/SSL to fetch their stream configurations over API.
[streamfwd://streamfwd] splunk_stream_app_location = https://searchHead:8443/en-us/custom/splunk_app_stream/ stream_forwarder_id = disabled = 0
- Restart the forwarder.
For more information, see Introduction to Getting Data In in the Splunk Cloud Platform Admin Manual.
To configure your forwarder settings, see Configure Stream forwarder.
Independent Stream Forwarders
Independent Stream Forwarders (ISF) use HEC to send data to indexers in Splunk Cloud. This feature uses token-based authentication to ensure that your credentials are never transmitted from your on-premises systems to Splunk Cloud.
To install and configure an Independent Stream Forwarder from a Splunk Cloud configuration, see Install and configure an Independent Stream Forwarder from Splunk Cloud.
For more information, see Work with the HTTP Event Collector in the Splunk Cloud Platform Admin Manual.
Install Splunk Stream on a Managed Cloud deployment
Install an Independent Stream Forwarder for Splunk Cloud
This documentation applies to the following versions of Splunk Stream™: 7.3.0, 7.4.0, 8.0.0