Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Install the Splunk Add-on for Stream Forwarder

Use the Deployment server to push Splunk Add-on for Stream Forwarder to all of your forwarders. You can also install Splunk Add-on for Stream Forwarder on individual forwarders.

To install a independent Stream Forwarder, see Install the Independent Stream Forwarder.

If you want to upgrade a forwarder to 7.3 or later, see Migrate Splunk Stream in a distributed deployment.

To configure your forwarders, see Configure your Splunk Stream forwarders

Use the deployment server to distribute Splunk Add-on for Stream Forwarders to universal forwarders

  1. Go to http://splunkbase.com/app/5238.
  2. Click Download. The Splunk_TA_stream_<latest_version>.tgz installation package downloads to your local host.
  3. Log into Splunk Web.
  4. Click Manage Apps > Install app from file.
  5. Upload the Splunk_TA_stream_<latest_version>.tgz installer file.
  6. Restart Splunk Enterprise, if prompted. This installs the Splunk_TA_stream in the $SPLUNK_HOME/etc/apps directory. This is a pre-configured copy of Splunk_TA_stream that you can deploy to universal forwarders using the deployment server.
  7. Set Splunk_TA_stream permissions: On Linux and OSX, run the set_permissions.sh script in the Splunk_TA_stream directory. 
    cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
sudo chmod +x ./set_permissions.sh
sudo ./set_permissions.sh
    On Windows systems, Splunk Stream supports the Admin role only.

To configure your forwarders, see Configure your Splunk Stream forwarders

Manually install the Splunk Add-on for Stream Forwarders on Splunk forwarders

To collect network data from one or more forwarders without using a deployment server, manually install Splunk_TA_stream on each forwarder.

  1. Go to http://splunkbase.com/app/5238 and download the latest installation package to $SPLUNK_HOME/etc/apps on the Universal Forwarder
  2. Untar the package to $SPLUNK_HOME/etc/apps
  3. Verify that Splunk_TA_stream/local/inputs.conf specifies the correct location of splunk_app_stream. 
     [streamfwd://streamfwd]
splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id = 
disabled = 0
  4. Verify that Splunk_TA_stream/local/streamfwd.conf is configured to collect data from the network interface. By default, streamfwd.conf collects data from all network interfaces.
  5. Set Splunk_TA_stream permissions: On Linux and OSX, run the set_permissions.sh script in the Splunk_TA_stream directory. 
    cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
sudo chmod +x ./set_permissions.sh
sudo ./set_permissions.sh
  6. Restart Splunk Enterprise.
Last modified on 03 March, 2022
Migrate Splunk Stream in a Splunk Single Instance deployment   Upgrade the Splunk Add-on for Stream Forwarders

This documentation applies to the following versions of Splunk Stream: 7.3.0, 7.4.0, 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters