All Apps and Add-ons

Install Splunk App for Stream on Single Instance

hemendralodhi
Contributor

Hello,

I am doing a POC for Stream app to monitor DB activity and tried to install the app on single instance acting as search head and indexer. Also I installed UF and placed the Splunk_TA_stream in app folder of UF. I got some data initially for TNS and other default data but it stopped after sometime.

I am confused as do we really need to use UF for single instance deployment as I think only install from web will be fine as it configured wire data input automatically and default data was coming in. Also seen streamfwd log for UF and it states that wincap driver is already loaded and port is in use. Please advise.

I am trying to remove UF and reinstalling again for single instance and will post results.

Splunk v6.2.4
Stream App v6.4.2
OS: Windows 2008R2 64 bit

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

Correct - you only need one instance of Splunk_TA_stream running, so your single instance Splunk instance that has the Wire Data input enabled (which is the default) should be sufficient and you don't need the UF.

hemendralodhi
Contributor

Thanks vshcherbakov_splunk , it is working fine. For Single instance UF deployment is not required.

I am getting the data and it is populating DB activity. I have one question: is it possible to capture the response from the DB back? Say I am running select statements and can see most of the data in dashboard as captured in packets, can we capture the response given by DB?

Thanks
Hemendra

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

Stream currently doesn't extract data from DB server responses beyond flow-level analytics. This is something we're planning to add in one of the future versions of Stream, but I cannot promise/give dates/etc..

0 Karma

hemendralodhi
Contributor

Thanks for the response. We will wait for the upgraded version.

0 Karma

hemendralodhi
Contributor

Hello,

I tested on source machine and it was working fine. Thanks for your help.
Our client asked to check if it can be done on target side(DB). I did the testing and app was not working and throwing error(Unable to initialize modular input "streamfwd" defined inside the app "Splunk_TA_stream": Unable to locate suitable script for introspection.). On checking in this forum found that app is not supported on Solaris Platform. Can you please confirm if that is the case and if there are any plan to support the app on Solaris.

Thanks
Hemendra

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

This is correct - Splunk_TA_stream is supported on Linux (32/64 bit), Windows (64 bit) and OS X platforms. I'm not aware of any plans to support Stream TA on Solaris, although it may (or may not) change in future.

Meanwhile, you can capture your Solaris servers network traffic on a separate machine (or VM) if you can set up a SPAN port or network tap to mirror your database traffic to that machine/VM. This is a fairly common approach to network monitoring with its own advantages and disadvantages.

0 Karma

hemendralodhi
Contributor

Hi,

Thanks for your quick response. I was checking your suggestion and read network collection arch topic in doc. So what I understood is that we need to have a dedicated collection node (UF +TA_Stream installed) which can get the data from Solaris DB servers over SPAN port and send the data to Heavy Forwarder (TA_Stream installed) -> indexer(TA_Stream installed) -> search head{Stream app + TA_Stream(disabled) installed}.
For the configuration part TA_Stream streamfwd binary should be able to communicate with Stream app so stream app location need to be specified on (collection node TA_Stream /HF TA_stream/IDX TA_stream)??

Really appreciate all your help on this!!

Thanks
Hemendra

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

Hi Hemendra,

Your understanding is pretty much correct. A couple of minor notes though:

  • Heavy Forwarder is optional - you can send Stream data to the indexer directly from the dedicated collection node (UF + TA_Stream).
  • TA_Stream should be disabled on the indexer, too, unless you're planning to collect network data on the indexer box (which is unlikely). The only place where Stream_TA needs to be enabled is the wire data collection node.
    • TA_Stream need to be configured with the proper stream app location URL only on the node(s) where it's enabled (i.e. the collection node). The other nodes - indexer(s), search head(s), HF (if any) - only need the TA_Stream installed (disabled) so that they're aware of Stream's props.conf and transforms.conf. There's no need to fully configure TA_Stream on these nodes.

Please let us know if you have any further questions.

--Vladimir

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...