Splunk Stream

Installation and Configuration Manual

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Migrate Splunk Stream in a distributed deployment

As of Verison 7.3, Splunk Stream is packaged as three components. After migration, managing and upgrading components will be easier and will work more readily with Splunk management tools for clustered environments.

Product name Installation package name Installed file name
Splunk App for Stream splunk_app_stream splunk_app_stream/
Splunk Add-on for Stream Forwarders Splunk_TA_stream Splunk_TA_stream/
Splunk Add-on for Stream Wire Data Splunk_TA_stream_wire_data Splunk_TA_stream_wire_data/

Independent Stream Forwarders are packaged as a binary file <streamfwd> in the Splunk App for Stream package.

For more about Splunk Stream components, see Splunk Stream installation package overview in this manual.

Upgrade Splunk App for Stream and Install Splunk Add-on for Stream Wire Data

Migrate from a previous version of Splunk Stream that included Splunk App for Stream and Splunk Add-on for Stream Forwarders.

For information about deploying apps and add-ons to search head clusters and Indexer clusters, see App deployment overview in the Splunk Enterprise Admin Manual.

To download the files for this task:

  1. If your are running in data capture mode on your Indexers or search head, disable the Splunk Add-on for Stream Forwarders (Splunk_TA_stream). Do this by setting the Splunk Add-on for Stream Forwarders to disabled = 1 in app.conf.
  2. (Optional) If you use a deployer, back up your existing version of the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) and the Splunk App for Stream (splunk_app_stream).
  3. Install the Splunk Add-on for Stream Wire Data (Splunk_TA_stream_wire_data) on your search heads and indexers.
  4. If you kept any of the following files in Splunk_TA_stream/local/ of your previous installation, use the back up you created in step two to move them to Splunk_TA_stream_wire_data/local/ before pushing the add-ons to the cluster.
    • distsearch.conf
    • tags.conf
    • props.conf
    • transforms.conf
    • eventtypes.conf
    • indexes.conf (for indexer package only)
  5. (Optional) If you have moved the files in step four to Splunk_TA_stream_wire_data/local/, delete them from Splunk_TA_stream. This keeps the installation clean and avoids potential conflicts with future release changes.
  6. (Optional) To continue to collect network data from your search heads and indexers you can upgrade the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) on your search heads and indexers.
  7. Upgrade the Splunk App for Stream (splunk_app_stream) on your search heads. Do not disable or delete Splunk App for Stream after installation, this file retains all forwarder configurations.
  8. Enable the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) by setting the app.conf file to enabled = 0.
  9. Restart your search heads and indexers.
  10. Check your dashboards to verify that your data flows as expected.

Upgrade the Splunk Add-on for Stream Forwarders

Use the Deployment server for easy and consistent implementation across all forwarders. If your Stream deployment includes additional forwarders that are not on your Deployment server or if you are not using the Deployment server, you must manually upgrade Splunk Add-on for Stream Forwarders (Splunk_TA_stream) on each forwarder.

For information about deploying apps and add-ons to search head clusters and indexer clusters, see App deployment overview in the Splunk Enterprise Admin Manual.

Download the Splunk Add-on for Stream Forwarders at http://splunkbase.com/app/5238.

  1. ssh into the deployment server for the forwarders.
  2. Make a backup of your existing version of Splunk_TA_stream.
  3. Extract the latest version of the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) over your previous version.
  4. (Optional) Remove all of the files listed in step four of "Upgrade Splunk App for Stream and Install Splunk Add-on for Stream Wire Data" in this topic.
  5. Reload your Deployment server to push the new version of the Splunk Add-on for Stream Forwarders Splunk_TA_stream to the forwarders.

For Windows, Splunk Stream uses the WinPcap driver to capture packets on Windows systems. Due to a flaw in the WinPcap security model, installing Stream on Windows allows all local users to use WinPcap for packet sniffing. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges. On Windows systems, Splunk Stream supports the Admin role only.

Last modified on 24 September, 2020
PREVIOUS
Install Splunk Stream in a distributed deployment
  NEXT
Deployment requirements

This documentation applies to the following versions of Splunk Stream: 7.3.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters