Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Install Splunk Stream on a single instance deployment

In a single-instance deployment of Splunk, the same single Splunk Enterprise instance serves as both search head and indexer. All packages are installed on your single instance.

For full Splunk Stream functionality, you download and install three packages on your Splunk Enterprise instance:

  • Splunk App for Stream, packaged as splunk_app_stream
  • Splunk Add-on for Stream Forwarders, packaged as Splunk_TA_stream
  • Splunk Add-on for Stream Wire Data, packaged as Splunk_TA_stream_wire_data

Splunk Stream also provides Independent Stream Forwarders, which is is packaged as a binary file <streamfwd> in the Splunk App for Stream package.

For more about Splunk Stream components, see Splunk Stream installation package overview in this manual.

Install the Splunk App for Stream

To deploy the Splunk App for Stream install splunk_app_stream in $SPLUNK_HOME/etc/apps on your Splunk Enterprise instance.

  1. Go to http://splunkbase.splunk.com/app/1809
  2. Click Download. The installation package downloads to your local host.
  3. Log into Splunk Web.
  4. Click Manage Apps > Install app from file.
  5. Upload the installer file.
  6. Restart Splunk Enterprise if prompted.

Install the Splunk Add-on for Stream Wire Data

To deploy the Splunk Add-on for Stream Wire Data install Splunk_app_stream in $SPLUNK_HOME/etc/apps on your Splunk Enterprise instance.

  1. Go to http://splunkbase.com/app/5234
  2. Click Download. The installation package downloads to your local host.
  3. Log into Splunk Web.
  4. Click Manage Apps > Install app from file.
  5. Upload the installer file.
  6. Restart Splunk Enterprise if prompted.

Install Splunk Add-on for Stream Forwarder on a single instance

To configure your single instance of Splunk Enterprise as a Stream forwarder, install Splunk_TA_stream in $SPLUNK_HOME/etc/apps on your Splunk Enterprise instance.

  1. Go to http://splunkbase.com/app/5238.
  2. Click Download. The installation package downloads to your local host.
  3. Log into Splunk Web.
  4. Click Manage Apps > Install app from file.
  5. Upload the installer file.
  6. Restart Splunk Enterprise if prompted.

Stream Easy Setup

Splunk Stream provides an Easy Setup page that can help you set up and configure data collection on your local machines for deployment on a single instance of Splunk Enterprise.

Set up data collection on the local machine

  1. Select the Collect data from this machine using Wire Data input check box.
  2. If you see the message "Splunk_TA_stream is not properly configured," click Redetect. In most cases, this sets proper permissions for the the streamfwd binary to capture packets on network interfaces.
  3. If Splunk can not detect the binary and you still see the message "Splunk_TA_stream is not properly configured," try the following:
    1. Click Check Wire Data Input. This opens the Wire Data data input page.
    2. Click on streamfwd to check the data input.
    3. Click Save to validate the input.
    4. Click the Splunk_TA_stream log file. Examine the search results for errors.
    5. If you are still unable to configure Splunk_TA_stream, click the Learn More link. This takes you to documentation that shows how to set proper permissions for Splunk_TA_stream.

Easy setup curl command.png

Last modified on 03 March, 2022
Deployment requirements   Migrate Splunk Stream in a Splunk Single Instance deployment

This documentation applies to the following versions of Splunk Stream: 7.3.0, 7.4.0, 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters