Migrate Splunk Stream in a distributed deployment

As of Verison 7.3, Splunk Stream is packaged as three components. After migration, managing and upgrading components will be easier and will work more readily with Splunk management tools for clustered environments.

Independent Stream Forwarders are packaged as a binary file <streamfwd> in the Splunk App for Stream package.

For more about Splunk Stream components, see Splunk Stream installation package overview in this manual.

Upgrade Splunk App for Stream and Install Splunk Add-on for Stream Wire Data

Migrate from a previous version of Splunk Stream that included Splunk App for Stream and Splunk Add-on for Stream Forwarders.

For information about deploying apps and add-ons to search head clusters and Indexer clusters, see App deployment overview in the Splunk Enterprise Admin Manual.

To download the files for this task:

• Download the Splunk Add-on for Stream Wire Data at http://splunkbase.com/app/5234.
• Download the Splunk App for Stream at http://splunkbase.splunk.com/app/1809.

1. If you are running in data capture mode on your Indexers or search head, disable the Splunk Add-on for Stream Forwarders (Splunk_TA_stream). Do this by setting the Splunk Add-on for Stream Forwarders to disabled = 1 in app.conf.
2. (Optional) If you use a deployer, back up your existing version of the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) and the Splunk App for Stream (splunk_app_stream).
3. Install the Splunk Add-on for Stream Wire Data (Splunk_TA_stream_wire_data) on your search heads and indexers.
4. If you kept any of the following files in Splunk_TA_stream/local/ of your previous installation, use the back up you created in step two to move them to Splunk_TA_stream_wire_data/local/ before pushing the add-ons to the cluster.
   • distsearch.conf
   • tags.conf
   • props.conf
   • transforms.conf
   • eventtypes.conf
   • indexes.conf (for indexer package only)
5. (Optional) If you have moved the files in step four to Splunk_TA_stream_wire_data/local/, delete them from Splunk_TA_stream. This keeps the installation clean and avoids potential conflicts with future release changes.
6. (Optional) To continue to collect network data from your search heads and indexers you can upgrade the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) on your search heads and indexers.
7. Upgrade the Splunk App for Stream (splunk_app_stream) on your search heads. Do not disable or delete Splunk App for Stream after installation, this file retains all forwarder configurations.
8. Enable the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) by setting the app.conf file to enabled = 0.
9. Restart your search heads and indexers.
10. Check your dashboards to verify that your data flows as expected.

Upgrade the Splunk Add-on for Stream Forwarders

Use the Deployment server for easy and consistent implementation across all forwarders. If your Stream deployment includes additional forwarders that are not on your Deployment server or if you are not using the Deployment server, you must manually upgrade Splunk Add-on for Stream Forwarders (Splunk_TA_stream) on each forwarder.

For information about deploying apps and add-ons to search head clusters and indexer clusters, see App deployment overview in the Splunk Enterprise Admin Manual.

Download the Splunk Add-on for Stream Forwarders at http://splunkbase.com/app/5238.

1. ssh into the deployment server for the forwarders.
2. Make a backup of your existing version of Splunk_TA_stream.
3. Extract the latest version of the Splunk Add-on for Stream Forwarders (Splunk_TA_stream) over your previous version.
4. (Optional) Remove all of the files listed in step four of "Upgrade Splunk App for Stream and Install Splunk Add-on for Stream Wire Data" in this topic.
5. Reload your Deployment server to push the new version of the Splunk Add-on for Stream Forwarders Splunk_TA_stream to the forwarders.

On Windows systems, Splunk Stream supports the Admin role only.