Install an Independent Stream Forwarder for Splunk Cloud
Splunk App for Stream (splunk_app_stream
) generates a curl
script that you can run from the command line to install the forwarder.
Before you deploy an Independent Stream Forwarder (ISF) you must have an HTTP Event Collector (HEC) enabled and you must have a HEC token for Splunk Stream. For best practices, name the token "streamfwd". For more information, see HEC and managed Splunk Cloud
Install an Independent Stream Forwarder
- In the Splunk App for Stream main menu, click Configure > Distributed Forwarder Management.
- Click Install Stream Forwarder. The Install Stream Forwarder window appears.
- Copy the curl script.
- SSH into the Linux machine where you want to install the Independent Stream Forwarder.
- Run the curl script that you copied from
splunk_app_stream
. For example:curl -sSL http://stream-cont-func02:8000/en-us/custom/splunk_app_stream/install_streamfwd | sudo bash
- At each prompt to download and install, type Yes. At the prompt to start the streamfwd binary, type "Yes".
Optionally run the curl script in fully automated mode without prompts
- Run the curl script that you copied from
splunk_app_stream
with the following parameters appended:-s -- --accept-defaults
.curl -sSL http://stream-cont-func02:8000/en-us/custom/splunk_app_stream/install_streamfwd | sudo bash -s -- --accept-defaults
- In the [streamfwd] stanza, specify the HEC token value
[streamfwd] httpEventCollectorToken = 6fe91580-2156-4644-8416-8b8d22b197ab
- Start the
streamfwd
service.sudo service streamfwd start
- Confirm that the
splunk_stream_app_location
address is set correctly in/opt/streamfwd/local/inputs.conf
.
Install and configure forwarders for a Splunk Cloud deployment | Distributed deployment installation and configuration requirements |
This documentation applies to the following versions of Splunk Stream™: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3
Feedback submitted, thanks!