Install the Splunk Add-on for Stream Forwarder
Use the Deployment server to push Splunk Add-on for Stream Forwarder to all of your forwarders. You can also install Splunk Add-on for Stream Forwarder on individual forwarders.
To install a independent Stream Forwarder, see Install the Independent Stream Forwarder.
If you want to upgrade a forwarder to 7.3 or later, see Migrate Splunk Stream in a distributed deployment.
To configure your forwarders, see Configure your Splunk Stream forwarders
Use the deployment server to distribute Splunk Add-on for Stream Forwarders to universal forwarders
- Go to http://splunkbase.com/app/5238.
- Click Download. The
Splunk_TA_stream_<latest_version>.tgz
installation package downloads to your local host. - Log into Splunk Web.
- Click Manage Apps > Install app from file.
- Upload the
Splunk_TA_stream_<latest_version>.tgz
installer file. - Restart Splunk Enterprise, if prompted.
This installs the
Splunk_TA_stream
in the$SPLUNK_HOME/etc/apps
directory. This is a pre-configured copy ofSplunk_TA_stream
that you can deploy to universal forwarders using the deployment server. - Set
Splunk_TA_stream
permissions: On Linux and OSX, run theset_permissions.sh
script in theSplunk_TA_stream
directory.On Windows systems, Splunk Stream supports the Admin role only.cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream sudo chmod +x ./set_permissions.sh sudo ./set_permissions.sh
To configure your forwarders, see Configure your Splunk Stream forwarders
Manually install the Splunk Add-on for Stream Forwarders on Splunk forwarders
To collect network data from one or more forwarders without using a deployment server, manually install Splunk_TA_stream
on each forwarder.
- Go to http://splunkbase.com/app/5238 and download the latest installation package to
$SPLUNK_HOME/etc/apps
on the Universal Forwarder - Untar the package to
$SPLUNK_HOME/etc/apps
- Verify that
Splunk_TA_stream/local/inputs.conf
specifies the correct location ofsplunk_app_stream
.[streamfwd://streamfwd] splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/ stream_forwarder_id = disabled = 0
- Verify that
Splunk_TA_stream/local/streamfwd.conf
is configured to collect data from the network interface. By default,streamfwd.conf
collects data from all network interfaces. - Set
Splunk_TA_stream
permissions: On Linux and OSX, run theset_permissions.sh
script in theSplunk_TA_stream
directory.cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream sudo chmod +x ./set_permissions.sh sudo ./set_permissions.sh
- Restart Splunk Enterprise.
Migrate Splunk Stream in a Splunk Single Instance deployment | Upgrade the Splunk Add-on for Stream Forwarders |
This documentation applies to the following versions of Splunk Stream™: 7.3.0, 7.4.0, 8.0.0
Feedback submitted, thanks!