All Apps and Add-ons

Splunk App for Stream: forwarder configuration

goancea
Explorer

We completed the installation of the app and of course, had to manually copy the Splunk_TA_stream to the app/ directory,on the indexer. What wasn't clear to me was what has to be installed on the forwarder? Do we do the same install manually or just copy the Splunk_TA_steam directory structure over to the etc/deployment-apps/ location on the forwarder? It would appear that we need to have the streamfwd executable, and setuid to root at a minimum. Do we then setup a new wire data entry that points to the forwarder?
The forwarder setup isn't clear to me yet.

1 Solution

sroback_splunk
Splunk Employee
Splunk Employee

hi. Yes, you can just copy the Splunk_TA_stream from the $SPLUNK_HOME/etc/deployment-apps directory to $SPLUNK_HOME/etc/apps on the forwarder. Splunk_TA_stream contains the streamfwd executable. The Wire Data (streamfwd) modular input in the deployment-apps directory is enabled by default. No need to set up an additional Wire Data input. Make sure to restart splunk after installing Splunk_TA_stream

For Splunk App for Stream installation instructions, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/InstallSplunkAppforStream

For common installation issues, see this troubleshooting item, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/Troubleshooting#Splunk_TA_stre...

View solution in original post

sroback_splunk
Splunk Employee
Splunk Employee

hi. Yes, you can just copy the Splunk_TA_stream from the $SPLUNK_HOME/etc/deployment-apps directory to $SPLUNK_HOME/etc/apps on the forwarder. Splunk_TA_stream contains the streamfwd executable. The Wire Data (streamfwd) modular input in the deployment-apps directory is enabled by default. No need to set up an additional Wire Data input. Make sure to restart splunk after installing Splunk_TA_stream

For Splunk App for Stream installation instructions, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/InstallSplunkAppforStream

For common installation issues, see this troubleshooting item, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/Troubleshooting#Splunk_TA_stre...

greathera
Explorer

It would be helpful if the documentation were updated to include more detail for installing the stream forwarder. Also, there is no mention of how to install the Stream App for a distributed deployment of Splunk. Does the full app get installed on the Search Head and the Indexer? All the documentation assumes a *nix O.S. How would the installation change for Windows?

sroback_splunk
Splunk Employee
Splunk Employee

Hi.

Splunk_TA_stream (aka stream forwarder) is installed with the Splunk app for Stream package. In a distributed environment you can use the deployment server to push the Splunk_TA_stream out to new forwarders or manually install the TA on forwarders. This is covered in the following doc:
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/InstallSplunkAppforStream#Splun...

In a distributed deployment, you must install the Splunk_TA_stream on forwarders and indexers. The Stream app itself only requires installation on search heads. This is covered in the Distributed Deployment section of the Deployment Architectures documentation:
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/DeploymentArchitecture

In terms of Windows installation, the process is identical to Linux/OSX, with the exception that splunkd does not require root privileges on Windows. See Install Splunk App for Stream, Step 3: http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/InstallSplunkAppforStream#Step_...

Hope this helps.
Steven

0 Karma

goancea
Explorer

As sroback_splunk stated, simply copying Splunk_TA_stream/ under the apps/ area worked for me. Since we don't have the executable as setuid root yet, the streamfwd.log file won't be created in the / directory until the perms are updated. Verified by seeing streamfwd info in the splunkd.log file.

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...