Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Migrate Splunk Stream in a Splunk Single Instance deployment

As of Verison 7.3, Splunk Stream is packaged as three components. After migration, managing and upgrading components will be easier and will work more readily with Splunk management tools for clustered environments.

Product name Installation package name Installed file name
Splunk App for Stream splunk_app_stream splunk_app_stream/
Splunk Add-on for Stream Forwarders Splunk_TA_stream Splunk_TA_stream/
Splunk Add-on for Stream Wire Data Splunk_TA_stream_wire_data Splunk_TA_stream_wire_data/

Independent Stream Forwarders are packaged as a binary file <streamfwd> in the Splunk App for Stream package.

For more about Splunk Stream components, see Splunk Stream installation package overview in this manual.

Upgrade

To upgrade to Splunk Stream 7.3, you upgrade the Splunk App for Stream (splunk_app_stream) and Splunk Add-on for Stream Forwarder (Splunk_TA_ stream), and install the Splunk Add-on for Stream Wire Data (Splunk_TA_stream_wire_data).

As a best practice, back up your existing configuration to a separate server or directory in case you need it later.

Upgrade the Splunk App for Stream and Splunk Add-on for Stream Wire Data

To download the files for this task:

  1. If your are running Splunk Add-on for Stream Forwarders (Splunk_TA_stream) in data capture mode, disable it by setting the Splunk Add-on for Stream Forwarders to disabled = 1 in the Splunk_TA_stream) app.conf file.
  2. (Optional) Back up your existing version of the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) and the Splunk App for Stream (splunk_app_stream) to a separate directory.
  3. Install the Splunk Add-on for Stream Wire Data (Splunk_TA_stream_wire_data) on your Splunk Enterprise instance.
  4. Use the backup you created in step two to move the following files to Splunk_TA_stream_wire_data/local/.
    • distsearch.conf
    • tags.conf
    • props.conf
    • transforms.conf
    • eventtypes.conf
    • indexes.conf (for indexer package only)
  5. (Optional) Once you have moved the files in step four to Splunk_TA_stream_wire_data/local/, delete them from Splunk_TA_stream. This keeps the installation clean and avoids potential conflicts with future release changes.
  6. Upgrade the Splunk App for Stream (splunk_app_stream) on your Splunk Enterprise instance. Do not disable or delete Splunk App for Stream after installation, this file retains configurations for the forwarder installation.
  7. Enable the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) on your Splunk Enterprise instance by setting the app.conf file to enabled = 0
  8. Upgrade the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) on your Splunk Enterprise instance.
  9. Restart your Splunk Enterprise instance.
  10. Verify that all data flows as expected in your dashboards.

Upgrade the Splunk Add-on for Stream Forwarders

Download the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) at http://splunkbase.com/app/5238.

  1. Make a backup of your existing version of Splunk_TA_stream.
  2. Extract the latest version of the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) over your previous version.
  3. (Optional) Remove all of the files listed in step four of "Upgrade Splunk App for Stream and Install Splunk Add-on for Stream Wire Data" in this topic.
  4. Restart your Splunk Enterprise instance.

Splunk Stream uses the WinPcap driver to capture packets on Windows systems. Due to a flaw in the WinPcap security model, installing Stream on Windows allows all local users to use WinPcap for packet sniffing. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges. On Windows systems, Splunk Stream only supports the Admin role.

Last modified on 24 September, 2020
PREVIOUS
Install Splunk Stream on a single instance deployment
  NEXT
Install the Splunk Add-on for Stream Forwarder

This documentation applies to the following versions of Splunk Stream: 7.3.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters