Configure file extraction
To enable file extraction, you map your Splunk Stream deployment to a remote file server. Splunk Stream forwarder and Splunk Independent Stream Forwarder use the file server to store extracted files based on the metadata stream definition. For more information, see Use file extraction in the Splunk Stream User Manual.
Map a deployment to a remote file server
Before you configure file extraction for a metadata stream in splunk_app_stream
, complete the following configuration steps:
1. Set up and mount the file server
Mount a file server for Splunk Stream Forwarder and Independent Stream Forwarder deployments.
- If you do not have one, create a NFS (or similar) file server volume. For more information, see Set up a NFS server.
- On the host machine running the
streamfwd
binary, mount the file server volume.
2. Add file server parameters to streamfwd.conf
- Edit
local/streamfwd.conf
to specify your server parameters in the[streamfwd]
stanza:fileServerId = <value> fileServerMountPoint = <value>
For example:
[streamfwd] fileServerId = 10.140.7.18:/StreamLoad fileServerMountPoint = /streamload
- Restart Splunk.
3. Mount file server on search head
On the search head running splunk_app_stream
, create a mount point. For more information, see Setting up an NFS client.
4. Configure mount point for file server
- In the
splunk_app_stream
UI, click Configuration > File Server Mount Points. - Click Add File Server.
- Specify the File Server and Mount Point. Click Create.
The mount point that you specify in the
splunk_app_stream
UI on the search head differs from the mount point that you specify instreamfwd.conf
.
Use file extraction
After mapping your Splunk Stream deployment to your remote file server, you are ready to configure file extraction for your metadata streams. For detailed instructions, see Use file extraction in the Splunk Stream User Manual.
Use Stream configuration templates | Configure targeted packet capture |
This documentation applies to the following versions of Splunk Stream™: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3
Feedback submitted, thanks!