Splunk Stream for Cloud deployment architecture
To deploy Splunk Stream, contact your Splunk Cloud account team to install the Splunk App for Stream on Splunk Cloud. This installation typically includes a search head and an indexer.
You can install forwarders that work with this managed configuration. Forwarders fetch Stream configuration data from the Splunk App for Stream (
splunk_app_stream) which is installed on the search head in on your Managed Splunk Cloud instance. The forwarders send captured data back to the Splunk Cloud indexers.
Splunk Stream supports two types of forwarders for a Managed Cloud instance of Splunk Stream.
- Splunk Add-on for Stream Forwarders (
Splunk_TA_stream) installed on universal forwarders. The configured Stream forwarder sends data over the Splunk2Splunk Protocol. If you use a heavy forwarder to collect and parse data, also install the Add-on for Stream Wire Data (
Splunk_TA_stream_wire_data) on that heavy forwarder wherever that index performs pipeline processing.
- An Independent Stream Forwarder (ISF). These forwarders send captured data using the HTTP Event Collector (HEC) to the Splunk Cloud indexers.
The following diagram describes deployment architecture of Splunk Stream on a Managed Splunk Cloud deployment with forwarders.
Splunk Stream on-premise deployment architecture
Determine your network data collection architecture
This documentation applies to the following versions of Splunk Stream™: 7.3.0, 7.4.0, 8.0.0