Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Install and configure forwarders for a Splunk Cloud deployment

To deploy Splunk Stream on Splunk Cloud, contact your Splunk Cloud account team. Once you account team has configured your Splunk Cloud deployment, you can install forwarders to send data to your Cloud configuration:

  • Configure on-premise Splunk Stream forwarders to manage jobs or to capture data and send it the to Splunk Cloud indexers.
  • Configure an Independent Stream Forwarder deployment to use HEC to send data from a forwarder to your Splunk Cloud indexers.

Install Splunk Add-on for Stream Forwarder

For on-premise Splunk Add-on for Stream Forwarders you install and configure Splunk_TA_stream:

  1. Go to http://splunkbase.com/app/5238
  2. Download the Splunk Add-on for Stream and unpack the .tgz package.
  3. Place the resulting Splunk_TA_stream folder in the $SPLUNK_HOME/etc/apps directory on your forwarder.
  4. Make sure that your forwarder has access to the search head and port number. If you do not have this information, you can speak to your Splunk Cloud account team. The data is fetched from the Splunk App for Stream (splunk_app_stream) package that was configured as part of your Managed Splunk Cloud configuration.
  5. If you are running Stream on Linux or OSX, run the set_permissions.sh script in the Splunk_TA_stream directory. 
    cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
sudo chmod +x ./set_permissions.sh
sudo ./set_permissions.sh
  6. Open Splunk_TA_stream/local/inputs.conf.
  7. Edit the splunk_stream_app_location attribute to provide the location of the splunk_app_stream package that was configured as part of your managed Splunk Cloud configuration. In this example we provide the forwarder with access to port 443/SSL to fetch their stream configurations over API. 
    [streamfwd://streamfwd]
splunk_stream_app_location = https://searchHead/en-us/custom/splunk_app_stream/:443
stream_forwarder_id = 
disabled = 0
  8. Restart the forwarder.

For more information, see Introduction to Getting Data In in the Splunk Cloud Platform Admin Manual.

To configure your forwarder settings, see Configure Stream forwarder.

Independent Stream Forwarders

Independent Stream Forwarders (ISF) use HEC to send data to indexers in Splunk Cloud. This feature uses token-based authentication to ensure that your credentials are never transmitted from your on-premises systems to Splunk Cloud.

To install and configure an Independent Stream Forwarder from a Splunk Cloud configuration, see Install and configure an Independent Stream Forwarder from Splunk Cloud.

For more information, see Work with the HTTP Event Collector in the Splunk Cloud Platform Admin Manual.


See also: Install the Splunk Add-on for Stream Forwarder

Last modified on 12 August, 2022
Install Splunk Stream on a Managed Cloud deployment   Install an Independent Stream Forwarder for Splunk Cloud

This documentation applies to the following versions of Splunk Stream: 7.3.0, 7.4.0, 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters