All Apps and Add-ons

How to deploy and configure the Splunk App for Stream in an environment with heavy forwarders?

bpitts2
Path Finder

Hi all!

I am just getting started with an environment that we've somewhat inherited from another team within our org. For a variety of reasons, we use Heavy Forwarders to aggregate and forward data out of our network segments. We've been wanting to use the Splunk app for Stream to capture SIP traffic from a few of our nodes.

Today, I decided to try and figure out the installation plan, which has me very confused.

First, I'm not sure whether the Splunk app for Stream needs to be installed on our Indexers, Heavy Forwarders, or our Deployment Server. (Btw, we use a stand-alone deployment server)

Second, once Splunk app for Stream is installed, I know I'll need to deploy the Stream TA package to my Universal Forwarders. I've found that with the base configuration, just deploying the package with no modifications leads to my Universal Forwarders receiving an inputs.conf such as the following:

[streamfwd://streamfwd]
splunk_stream_app_location = https://DeploymentServerAddress:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id = 
disabled = 0

I assume, that this isn't what I want. Or maybe it is. Is this address just used as the management node for the stream app? (For example, protocol configuration?)

I was figuring that I should have the Splunk app for Stream installed on my Heavy Forwarder, and as such, have the inputs.conf directed like:

[streamfwd://streamfwd]
splunk_stream_app_location = https://HeavyForwarderAddress:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id = 
disabled = 0

Additional questions:

  • If my assumptions are correct - Under data inputs, does streamfwd need to be enabled on the Heavy Forwarder?
  • In the inputs.conf, under streamfwd can I specify which Index I would like the data in?

Picture for reference:
alt text

1 Solution

bpitts2
Path Finder

After a bit of research I was able to answer this one myself.

If you're using a Heavy Forwarder, you'll want to deploy the Splunk App for Stream on the HF and configure your inputs.conf to point at port 8000 on the HF (or which ever server you decide to use for configuration).

View solution in original post

0 Karma

bpitts2
Path Finder

After a bit of research I was able to answer this one myself.

If you're using a Heavy Forwarder, you'll want to deploy the Splunk App for Stream on the HF and configure your inputs.conf to point at port 8000 on the HF (or which ever server you decide to use for configuration).

0 Karma

bpitts2
Path Finder

So, after browsing around on Answers I've learned that Stream uses the Rest API to pull config from port 8000 on the machine that has the Splunk app for Stream installed. Events are sent up on the normal port.

That leads me to believe that I -should- install the app on my HF and then build a deployment package that references the HF on port 8000. Stream management can then be done from splunk web on that HF. Which actually sounds like a good way to keep my stream configurations separated between segments. (Not all of our segments should have the same stream configuration)

0 Karma

jsie_splunk
Splunk Employee
Splunk Employee

You've got it right, that's basically what the inputs.conf is saying.

As for keeping configurations separate, the latest version of the Stream app has a feature called Distributed Forwarder Management (DFM) that let's you define groups, and associate Streams with these groups. You can then place UFs into the Forwarder groups and control Stream configurations that way as well.

You can find out more about DFM here: http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/DistributedForwarderManagement

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...