Splunk Stream

Installation and Configuration Manual

Install an Independent Stream Forwarder for Splunk Cloud

Splunk App for Stream (splunk_app_stream) generates a curl script that you can run from the command line to install the forwarder.

Before you deploy an Independent Stream Forwarder (ISF) you must have an HTTP Event Collector (HEC) enabled and you must have a HEC token for Splunk Stream. For best practices, name the token "streamfwd". For more information, see HEC and managed Splunk Cloud

Install an Independent Stream Forwarder

  1. In the Splunk App for Stream main menu, click Configure > Distributed Forwarder Management.
  2. Click Install Stream Forwarder. The Install Stream Forwarder window appears.
  3. Copy the curl script.
  4. SSH into the Linux machine where you want to install the Independent Stream Forwarder.
  5. Run the curl script that you copied from splunk_app_stream. For example:
    curl -sSL http://stream-cont-func02:8000/en-us/custom/splunk_app_stream/install_streamfwd | sudo bash
    
  6. At each prompt to download and install, type Yes. At the prompt to start the streamfwd binary, type "Yes".

Optionally run the curl script in fully automated mode without prompts

  1. Run the curl script that you copied from splunk_app_stream with the following parameters appended: -s -- --accept-defaults.
    curl -sSL http://stream-cont-func02:8000/en-us/custom/splunk_app_stream/install_streamfwd | sudo bash -s -- --accept-defaults
    
  2. In the [streamfwd] stanza, specify the HEC token value
    [streamfwd]
    httpEventCollectorToken = 6fe91580-2156-4644-8416-8b8d22b197ab
    
  3. Start the streamfwd service.
    sudo service streamfwd start
    
  4. Confirm that the splunk_stream_app_location address is set correctly in /opt/streamfwd/local/inputs.conf.
Last modified on 03 March, 2022
Install and configure forwarders for a Splunk Cloud deployment   Distributed deployment installation and configuration requirements

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters