This topic specifies Splunk Stream hardware and software requirements. For a list of network protocols that Splunk Stream supports, see Supported Protocols in this manual.
Before you install Splunk Stream, make sure that your underlying Splunk Enterprise deployment meets the requirements specified in Introduction to capacity planning for Splunk Enterprise in the Splunk Enterprise Capacity Planning Manual.
For baseline Splunk Enterprise hardware requirements, see Reference hardware in the Splunk Enterprise Capacity Planning Manual. Depending on the volume of network data that you plan to capture and index, additional resources might be required.
For information on Splunk Stream performance, see Performance test results and recommendations in this manual.
Supported operating systems
Splunk Stream 7.1.2 and later supports the following operating systems:
- Linux kernel version 2.6.32 or later (64-bit).
- Red Hat Enterprise Linux 6.5 or later
- CentOS 6.5 or later
- Ubuntu 16.04 or later
Note: Independent Stream Forwarder installation is supported on 64-bit Linux (RHEL and Ubuntu) only.
Caution: Default Linux kernel settings are not sufficient for high-volume packet capture. Using these settings can cause missing packets and data loss. We recommend that you add the following kernel settings to your
# increase kernel buffer sizes for reliable packet capture net.core.rmem_default = 33554432 net.core.rmem_max = 33554432 net.core.netdev_max_backlog = 10000
Then run the following to reload the settings:
- Mac OSX version 10.11 or later.
- Windows Server 2012R2 or later (64-bit)
Splunk Stream supports Local System and Administrator accounts only on Windows. For more information, see How the System account is used in Windows.
Splunk Enterprise version requirements
Splunk Stream runs on Splunk Enterprise. Before you install Splunk Stream, make sure that you are running the appropriate version of Splunk Enterprise.
Splunk Stream version 7.1.x is supported on Splunk Enterprise 7.1.x, 7.0.x, 6.6.x, 6.5.x and 6.4.x.
Splunk Enterprise component requirements
In a distributed Splunk Enterprise environment, you must install Splunk Stream on universal forwarders, indexers, and search heads, as applicable to your deployment. For details on Splunk Stream component requirements, see Deployment architectures in this manual.
Splunk Stream 6.2.x and later supports these browsers:
- Chrome (latest)
- Safari (latest)
- Firefox (latest) (version 10.x is not supported)
- Internet Explorer 9 or later. Internet Explorer version 9 is not supported in compatibility mode.
Splunk Stream does not require a separate license. You can install and use Splunk Stream on Splunk Enterprise with a single Splunk Enterprise license.
Splunk Enterprise licenses are based on the amount of data stored by your Splunk indexers per day. For more information, see How Splunk licensing works in the Splunk Enterprise Admin Manual.
Targeted packet capture and file extraction requirements
To use targeted packet capture and file extraction, you must map your Splunk Stream deployment to a remote file server. For instructions, see Configure targeted packet capture and Configure file extraction in this manual.
Targeted packet capture and file extraction require Splunk Stream version 7.1.0 or later.
NefFlow data collection requires Splunk Stream version 7.0.0 or later.
Splunk Stream is certified for deployment on Splunk Cloud. For more information, see Deploy Stream on Splunk Cloud in this manual.
For more information on Splunk Cloud services, see the Splunk Cloud Products page.
About Splunk Stream
Splunk Stream deployment architectures
This documentation applies to the following versions of Splunk Stream™: 7.1.2, 7.1.3