Configure Stream forwarder
After you install your Splunk Stream Forwarder, you configure it to forward data to you Spunk Stream deployment:
- Provide the Splunk Add-on for Stream Forwarders with the location of your Splunk App for Stream installation.
- Configure your local Stream Forwarders to specify data capture parameters.
- Configure parameters for
Provide the Splunk Add-on for Stream Forwarders with the location of your Splunk App for Stream installation
Before you set up stream data capture, configure
Splunk_TA_stream/local/inputs.confto communicate with the Splunk App for Stream. Your Stream forwarders use this location to retrieve the stream capture configurations, including protocols, fields, and aggregation types, that you define in the Configure Streams UI.
- Confirm that the
[streamfwd://streamfwd]stanza contains the correct location (URI) of your
splunk_app_streaminstallation. For search head clusters, the address for this can be a single URL that is either a load balancer with sticky sessions or a single member of the SHC.
[streamfwd://streamfwd] splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/ disabled = 0
For more information, see How Splunk_TA_stream communicates with splunk_app_stream in this manual.
splunk_app_stream URI supports
https protocols. If you enable SSL, you must change the URI path to specify
https. If you change the http port, you must change the URI path to specify the new port.
Configure the Stream forwarder identifier
When using a deployment server, if you set or modify the
stream_forwarder_id of a Stream forwarder while a process is running, you must restart the universal forwarder for the changes to apply to the
You can also use the
stream_forwarder_id to manage distributed stream forwarder instances. For more information, see Distributed forwarder management.
Enable SSL certificate validation
Enable certificate validation for SSL connections to
Splunk_TA_stream to verify the identity of
splunk_app_stream servers. To enable certificate validation, edit the parameters in
- Open to edit
- Set the following parameters:
sslVerifyServerCert = true: Enables server (
splunk_app_stream) certificate validation on the client(
rootCA = <path>: Points to the file name of the root CA certificate file. If the
sslVerifyServerCertparameter is set to true,
rootCAmust show the full path to the root CA certificate file. If this parameter is left empty or points to a non-existent file, certificate validation does not occur.
sslCommonNameToCheck = <commonName>: This lets you override the common name value to compare against the certificate CN. If this parameter is left blank, the fully qualified host name of the
splunk_app_streamserver is verified against the CN in the server certificate. For the certificate CN, the Common Name formats
streamapp.app.splunk.comare supported. If certificate validation is enabled and validation fails because the certificate is not valid or because the common names do not match,
streamfwddoes not connect to the
Configure the indexer receiving port for Splunk Stream data.
- On the indexers tab, go to Settings > Forwarding and Receiving.
- Click Configure Receiving.
- Click New.
- Enter the receiving port number. For example, port 9997.
- Click Save.
Upgrade the Splunk Add-on for Stream Forwarders
Configure Forwarder Parameters in streamfwd.conf
This documentation applies to the following versions of Splunk Stream™: 7.3.0