Use Stream configuration templates
Stream configuration templates are pre-defined Stream configurations that provide protocol field mappings for Splunk products.
- Splunk IT Service Intelligence (ITSI): ITSI configuration templates provide custom protocol fields that map to metrics in Splunk ITSI modules.
- Enterprise Security (ES): ES configuration templates provides custom protocol fields that map to CIM data models used in Splunk ES.
You can apply configuration templates to the streamfwd
binary using command line options, which lets you configure data capture. Both the Stream forwarder and the ISF support configuration templates.
Activate Stream configuration templates
To activate a Stream configuration template, add the configTemplateName=<product name>
parameter to streamfwd.conf
. You can use streamfwd
command options to add this parameter or manually edit the streamfwd.conf
file. You can use one active Stream configuration template at a time.
Stream provides the following streamfwd
command options to activate, deactivate, or list installed templates:
-c [TEMPLATE_NAME] Activate specified product template. -c Deactivate any active product template. --listtemplates List installed product templates.
For example, to activate the ITSI configuration template:
./streamfwd -c itsi
Example: Activate configuration template in the Splunk Stream Forwarder
To activate the itsi
configuration template for Splunk_TA_stream
:
- Go to $SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin.
- Run the following command:
[root@sr-centos2 bin]# ./streamfwd -c itsi configuration template located at /opt/splunk/etc/apps/Splunk_TA_stream/configs/itsi activated.
- Restart Splunk.
- Confirm that the
configTemplateName = itsi
parameter has been added toSplunk_TA_stream/local/streamfwd.conf
. For example:[streamfwd] port = 8889 ipAddr = 127.0.0.1 configTemplateName = itsi
Example: Activate configuration template for Independent Stream Forwarder
Independent Stream Forwarder deployments use HTTP Event Collector (HEC) to send data to indexers. When you activate a configuration template for an Independent Stream Forwarder deployment, you manually add one or more indexer.0.uri = <indexer_location>
parameters to specify indexer locations.
To activate the es
configuration template for an Independent Stream Forwarder deployment:
- Go to
opt/streamfwd/bin
. - Run the following command:
[root@sr-centos2 bin]# ./streamfwd -c es configuration template located at /opt/streamfwd/configs/es is activated.
- Restart
streamfwd
. - Add
indexer.<N>.uri = <indexer_location>
parameters to specify indexer locations. For example:[streamfwd] port = 8889 ipAddr = 127.0.0.1 configTemplateName = es indexer.0.uri = http://soln-perf110-1:8088 indexer.1.uri = http://soln-perf11-2:8088
Use Splunk Stream to ingest Netflow and IPFIX data | Configure file extraction |
This documentation applies to the following versions of Splunk Stream™: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3
Feedback submitted, thanks!