Install and configure forwarders for a Splunk Cloud deployment
To deploy Splunk Stream on Splunk Cloud, contact your Splunk Cloud account team. Once you account team has configured your Splunk Cloud deployment, you can install forwarders to send data to your Cloud configuration:
- Configure on-premise Splunk Stream forwarders to manage jobs or to capture data and send it the to Splunk Cloud indexers.
- Configure an Independent Stream Forwarder deployment to use HEC to send data from a forwarder to your Splunk Cloud indexers.
Install Splunk Add-on for Stream Forwarder
For on-premise Splunk Add-on for Stream Forwarders you install and configure Splunk_TA_stream
:
- Go to http://splunkbase.com/app/5238
- Download the Splunk Add-on for Stream and unpack the
.tgz
package. - Place the resulting
Splunk_TA_stream
folder in the$SPLUNK_HOME/etc/apps
directory on your forwarder. - Make sure that your forwarder has access to the search head and port number. If you do not have this information, you can speak to your Splunk Cloud account team. The data is fetched from the Splunk App for Stream (
splunk_app_stream
) package that was configured as part of your Managed Splunk Cloud configuration. - If you are running Stream on Linux or OSX, run the
set_permissions.sh
script in the Splunk_TA_stream directory.cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream sudo chmod +x ./set_permissions.sh sudo ./set_permissions.sh
- Open
Splunk_TA_stream/local/inputs.conf
. - Edit the
splunk_stream_app_location
attribute to provide the location of thesplunk_app_stream
package that was configured as part of your managed Splunk Cloud configuration. In this example we provide the forwarder with access to port 443/SSL to fetch their stream configurations over API.[streamfwd://streamfwd] splunk_stream_app_location = https://searchHead/en-us/custom/splunk_app_stream/:443 stream_forwarder_id = disabled = 0
- Restart the forwarder.
For more information, see Introduction to Getting Data In in the Splunk Cloud Platform Admin Manual.
To configure your forwarder settings, see Configure Stream forwarder.
Independent Stream Forwarders
Independent Stream Forwarders (ISF) use HEC to send data to indexers in Splunk Cloud. This feature uses token-based authentication to ensure that your credentials are never transmitted from your on-premises systems to Splunk Cloud.
To install and configure an Independent Stream Forwarder from a Splunk Cloud configuration, see Install and configure an Independent Stream Forwarder from Splunk Cloud.
For more information, see Work with the HTTP Event Collector in the Splunk Cloud Platform Admin Manual.
Install Splunk Stream on a Managed Cloud deployment | Install an Independent Stream Forwarder for Splunk Cloud |
This documentation applies to the following versions of Splunk Stream™: 7.3.0, 7.4.0, 8.0.0
Feedback submitted, thanks!