Splunk Stream

Release Notes

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

What's New

Splunk Stream version 8.1 was released on June 29, 2022.

Stream 8.1 contains a number of bug fixes, see the release notes for more information.

New features

Splunk Stream can now automatically pull proprietary Netflow configurations from configuration apps that you create and install. Splunk Stream uses these configuration apps to automatically configure Netflow proprietary elements. For more information, see Automatically input data with Netflow proprietary configurations.

What has changed in Splunk Universal forwarder 9.0.1

As of Splunk Universal forwarder 9.0.1, the capability roles for the forwarder access the forwarder have been reduced. In previous releases, the Splunk Universal forwarder provided three capabilities enabled:

  • CAP_DAC_READ_SEARCH
  • CAP_NET_ADMIN
  • CAP_NET_RAW

As of version 9.0.1 these three capabilities have been reduced down to one:

  • CAP_DAC_READ_SEARCH

However, Splunk Stream 8.1 still needs the CAP_NET_ADMIN and CAP_NET_RAW capabilities to function properly. You must specify these capabilities in the Splunk universal forwarder systemd service unit file.

To change the Splunk Universal forwarder systemd service unit file to add the additional capabilities needed for Stream:

  1. Locate of Splunk Universal forwarder systemd service unit file using the following command: $SPLUNK_HOME/bin/splunk display boot-start
    • If you haven't enabled boot-start on your forwarder, the Splunk universal forwarder systemd service unit file is located at /lib/systemd/system/SplunkForwarder.service.
    • If you have enabled boot-start on your forwarder, the Splunk universal forwarder systemd service unit file is located at /etc/systemd/system/SplunkForwarder.service
  2. Edit Splunk Universal forwarder systemd service unit file and edit the line: AmbientCapabilities=CAP_DAC_READ_SEARCH To: CAP_NET_ADMIN and CAP_NET_RAW AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
  3. Reload the systemd daemon for the unit file change to take effect: sudo systemctl daemon-reload
  4. Restart the Splunk universal forwarder: sudo $SPLUNK_HOME/bin/splunk restart
Last modified on 10 June, 2024
  Fixed issues

This documentation applies to the following versions of Splunk Stream: 8.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters