Splunk Stream

Installation and Configuration Manual

Install and configure forwarders for a Splunk Cloud deployment

To deploy Splunk Stream on Splunk Cloud, contact your Splunk Cloud support team. Once you account team has configured your Splunk Cloud deployment, you can install forwarders to send data to your Cloud configuration:

  • Configure on-premise Splunk Stream forwarders to manage jobs or to capture data and send it the to Splunk Cloud indexers.
  • Configure an Independent Stream Forwarder deployment to use HEC to send data from a forwarder to your Splunk Cloud indexers.

Install Splunk Add-on for Stream Forwarder

For on-premise Splunk Add-on for Stream Forwarders you install and configure Splunk_TA_stream:

  1. Go to http://splunkbase.com/app/5238
  2. Download the Splunk Add-on for Stream and unpack the .tgz package.
  3. Place the resulting Splunk_TA_stream folder in the $SPLUNK_HOME/etc/apps directory on your forwarder.
  4. Make sure that your forwarder has access to the search head and port number. If you do not have this information, you can speak to your Splunk Cloud account team. The data is fetched from the Splunk App for Stream (splunk_app_stream) package that was configured as part of your Managed Splunk Cloud configuration.
  5. If you are running Stream on Linux or OSX, run the set_permissions.sh script in the Splunk_TA_stream directory.
    cd $SPLUNK_HOME/etc/apps/Splunk_TA_stream
    sudo chmod +x ./set_permissions.sh
    sudo ./set_permissions.sh
  6. Open Splunk_TA_stream/local/inputs.conf.
  7. Edit the splunk_stream_app_location attribute to provide the location of the splunk_app_stream package that was configured as part of your managed Splunk Cloud configuration. In this example we provide the forwarder with access to port 443/SSL to fetch their stream configurations over API.
    splunk_stream_app_location = https://searchHead:443/en-us/custom/splunk_app_stream/
    stream_forwarder_id = 
    disabled = 0
  8. Restart the forwarder.

For more information, see Introduction to Getting Data In in the Splunk Cloud Platform Admin Manual.

To configure your forwarder settings, see Configure Stream forwarder.

Independent Stream Forwarders

Independent Stream Forwarders (ISF) use HEC to send data to indexers in Splunk Cloud. This feature uses token-based authentication to ensure that your credentials are never transmitted from your on-premises systems to Splunk Cloud.

To install and configure an Independent Stream Forwarder from a Splunk Cloud configuration, see Install and configure an Independent Stream Forwarder from Splunk Cloud.

For more information, see Work with the HTTP Event Collector in the Splunk Cloud Platform Admin Manual.

See also: Install the Splunk Add-on for Stream Forwarder

Last modified on 20 December, 2023
Install Splunk Stream on a Managed Cloud deployment   Install an Independent Stream Forwarder for Splunk Cloud

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters