Configure file extraction

To enable file extraction, you map your Splunk Stream deployment to a remote file server. Splunk Stream forwarder and Splunk Independent Stream Forwarder use the file server to store extracted files based on the metadata stream definition. For more information, see Use file extraction in the Splunk Stream User Manual.

Map a deployment to a remote file server

Before you configure file extraction for a metadata stream in splunk_app_stream, complete the following configuration steps:

1. Set up and mount the file server

Mount a file server for Splunk Stream Forwarder and Independent Stream Forwarder deployments.

1. If you do not have one, create a NFS (or similar) file server volume. For more information, see Set up a NFS server.
2. On the host machine running the streamfwd binary, mount the file server volume.

2. Add file server parameters to streamfwd.conf

1. Edit local/streamfwd.conf to specify your server parameters in the [streamfwd] stanza:

   fileServerId = <value>
   fileServerMountPoint = <value>
   

   For example:

   [streamfwd]
   fileServerId = 10.140.7.18:/StreamLoad
   fileServerMountPoint = /streamload
   

2. Restart Splunk.

3. Mount file server on search head

On the search head running splunk_app_stream, create a mount point. For more information, see Setting up an NFS client.

4. Configure mount point for file server

1. In the splunk_app_stream UI, click Configuration > File Server Mount Points.
2. Click Add File Server.
3. Specify the File Server and Mount Point. Click Create.
   

   The mount point that you specify in the splunk_app_stream UI on the search head differs from the mount point that you specify in streamfwd.conf.

Use file extraction

After mapping your Splunk Stream deployment to your remote file server, you are ready to configure file extraction for your metadata streams. For detailed instructions, see Use file extraction in the Splunk Stream User Manual.