Splunk Stream

Installation and Configuration Manual

Use Stream configuration templates

Stream configuration templates are pre-defined Stream configurations that provide protocol field mappings for Splunk products.

  • Splunk IT Service Intelligence (ITSI): ITSI configuration templates provide custom protocol fields that map to metrics in Splunk ITSI modules.
  • Enterprise Security (ES): ES configuration templates provides custom protocol fields that map to CIM data models used in Splunk ES.

You can apply configuration templates to the streamfwd binary using command line options, which lets you configure data capture. Both the Stream forwarder and the ISF support configuration templates.

Activate Stream configuration templates

To activate a Stream configuration template, add the configTemplateName=<product name> parameter to streamfwd.conf. You can use streamfwd command options to add this parameter or manually edit the streamfwd.conf file. You can use one active Stream configuration template at a time.

Stream provides the following streamfwd command options to activate, deactivate, or list installed templates: 

  -c [TEMPLATE_NAME]           Activate specified product template.
  -c                           Deactivate any active product template.
  --listtemplates              List installed product templates.

For example, to activate the ITSI configuration template: 

./streamfwd -c itsi

Example: Activate configuration template in the Splunk Stream Forwarder

To activate the itsi configuration template for Splunk_TA_stream:

  1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin.
  2. Run the following command: 
    [root@sr-centos2 bin]# ./streamfwd -c itsi
configuration template located at /opt/splunk/etc/apps/Splunk_TA_stream/configs/itsi activated.
  3. Restart Splunk.
  4. Confirm that the configTemplateName = itsi parameter has been added to Splunk_TA_stream/local/streamfwd.conf. For example: 
    [streamfwd]
port = 8889
ipAddr = 127.0.0.1

configTemplateName = itsi

Example: Activate configuration template for Independent Stream Forwarder

Independent Stream Forwarder deployments use HTTP Event Collector (HEC) to send data to indexers. When you activate a configuration template for an Independent Stream Forwarder deployment, you manually add one or more indexer.0.uri = <indexer_location> parameters to specify indexer locations.

To activate the es configuration template for an Independent Stream Forwarder deployment:

  1. Go to opt/streamfwd/bin.
  2. Run the following command: 
    [root@sr-centos2 bin]# ./streamfwd -c es
configuration template located at /opt/streamfwd/configs/es is activated.
  3. Restart streamfwd.
  4. Add indexer.<N>.uri = <indexer_location> parameters to specify indexer locations. For example: 
    [streamfwd]
port = 8889
ipAddr = 127.0.0.1

configTemplateName = es
indexer.0.uri = http://soln-perf110-1:8088
indexer.1.uri = http://soln-perf11-2:8088
Last modified on 03 March, 2022
Automatically input data with Netflow proprietary configurations   Configure file extraction

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters