Splunk Stream

Release Notes

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

What's New

Splunk Stream version 8.1 was released on June 29, 2022.

Stream 8.1 contains a number of bug fixes, see the release notes for more information.

New features

Splunk Stream can now automatically pull proprietary Netflow configurations from configuration apps that you create and install. Splunk Stream uses these configuration apps to automatically configure Netflow proprietary elements. For more information, see Automatically input data with Netflow proprietary configurations.

What has changed in Splunk Universal forwarder 9.0.1

As of Splunk Universal forwarder 9.0.1 we have reduced the capabilities/access the forwarder has, and the Splunk admin needs to specify additional capabilities in the Splunk Universal forwarder systemd service unit file.

Previously, the Splunk Universal forwarder provided three ambient capabilities enabled:

  • CAP_DAC_READ_SEARCH
  • CAP_NET_ADMIN
  • CAP_NET_RAW

As of version 9.0.1 these three capabilities have been reduced down to one:

  • CAP_DAC_READ_SEARCH

However, Splunk Stream 8.1 still needs the CAP_NET_ADMIN and CAP_NET_RAW capabilities to function properly. You must specify these capabilities in the Splunk Universal forwarder systemd service unit file.

To change the Splunk Universal forwarder systemd service unit file to add the additional capabilities needed for Stream:

  1. Locate of Splunk Universal forwarder systemd service unit file using the following command: $SPLUNK_HOME/bin/splunk display boot-start
    • If you haven't enabled boot-start on your forwarder, the Splunk Universal forwarder systemd service unit file is located at /lib/systemd/system/SplunkForwarder.service.
    • If you have enabled boot-start on your forwarder, the Splunk Universal Forwarder systemd service unit file is located at /etc/systemd/system/SplunkForwarder.service
  2. Edit Splunk Universal forwarder systemd service unit file and edit the line: AmbientCapabilities=CAP_DAC_READ_SEARCH To: CAP_NET_ADMIN and CAP_NET_RAW AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_NET_ADMIN CAP_NET_RAW
  3. Reload the systemd daemon for the unit file change to take effect: sudo systemctl daemon-reload
  4. Restart the Splunk Universal forwarder: sudo $SPLUNK_HOME/bin/splunk restart
Last modified on 07 December, 2022
  NEXT
Fixed issues

This documentation applies to the following versions of Splunk Stream: 8.1.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters