Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Install and configure forwarders for a Splunk Cloud deployment

To deploy Splunk Stream on Splunk Cloud, contact your Splunk Cloud account team. Once you account team has configured your Splunk Cloud deployment, you can install forwarders to send data to your Cloud configuration:

  • Configure on-premise Splunk Stream forwarders to manage jobs or to capture data and send it the to Splunk Cloud indexers.
  • Configure an Independent Stream Forwarder deployment to use HEC to send data from a forwarder to your Splunk Cloud indexers.

Install Splunk Add-on for Stream Forwarder

For on-premise Splunk Add-on for Stream Forwarders you install and configure Splunk_TA_stream_forwarder:

  1. Go to http://splunkbase.com/app/5238
  2. Download the Splunk Add-on for Stream Forwarder and unpack the .tgz package.
  3. Place the resulting Splunk_TA_stream_forwarder folder in the $SPLUNK_HOME/etc/apps directory on your forwarder.
  4. Make sure that your forwarder has access to the search head and port number. If you do not have this information, you can speak to your Splunk Cloud account team. The data is fetched from the Splunk App for Stream (splunk_app_stream) package that was configured as part of your Managed Splunk Cloud configuration.
    1. Open Splunk_TA_stream_forwarder/local/inputs.conf.
    2. Edit the splunk_stream_app_location attribute to provide the location of the splunk_app_stream package that was configured as part of your managed Splunk Cloud configuration. In this example we provide the forwarder with access to port 8443 or 443/SSL to fetch their stream configurations over API.
      splunk_stream_app_location = https://searchHead:8443/en-us/custom/splunk_app_stream/
      stream_forwarder_id = 
      disabled = 0
  5. Restart the forwarder.

For more information, see Introduction to Getting Data In in the Splunk Cloud Admin Manual.

To configure your forwarder settings, see Configure Stream forwarder.

Independent Stream Forwarders

Independent Stream Forwarders (ISF) use HEC to send data to indexers in Splunk Cloud. This feature uses token-based authentication to ensure that your credentials are never transmitted from your on-premises systems to Splunk Cloud.

To install and configure an Independent Stream Forwarder from a Splunk Cloud configuration, see Install and configure an Independent Stream Forwarder from Splunk Cloud.

For more information, see Work with the HTTP Event Collector in the Splunk Cloud Admin Manual.

Last modified on 06 May, 2021
Install Splunk Stream on a Managed Cloud deployment
Install an Independent Stream Forwarder for Splunk Cloud

This documentation applies to the following versions of Splunk Stream: 7.3.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters