Hi all!
I am just getting started with an environment that we've somewhat inherited from another team within our org. For a variety of reasons, we use Heavy Forwarders to aggregate and forward data out of our network segments. We've been wanting to use the Splunk app for Stream to capture SIP traffic from a few of our nodes.
Today, I decided to try and figure out the installation plan, which has me very confused.
First, I'm not sure whether the Splunk app for Stream needs to be installed on our Indexers, Heavy Forwarders, or our Deployment Server. (Btw, we use a stand-alone deployment server)
Second, once Splunk app for Stream is installed, I know I'll need to deploy the Stream TA package to my Universal Forwarders. I've found that with the base configuration, just deploying the package with no modifications leads to my Universal Forwarders receiving an inputs.conf such as the following:
[streamfwd://streamfwd]
splunk_stream_app_location = https://DeploymentServerAddress:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id =
disabled = 0
I assume, that this isn't what I want. Or maybe it is. Is this address just used as the management node for the stream app? (For example, protocol configuration?)
I was figuring that I should have the Splunk app for Stream installed on my Heavy Forwarder, and as such, have the inputs.conf directed like:
[streamfwd://streamfwd]
splunk_stream_app_location = https://HeavyForwarderAddress:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id =
disabled = 0
Additional questions:
Picture for reference:
After a bit of research I was able to answer this one myself.
If you're using a Heavy Forwarder, you'll want to deploy the Splunk App for Stream on the HF and configure your inputs.conf to point at port 8000 on the HF (or which ever server you decide to use for configuration).
After a bit of research I was able to answer this one myself.
If you're using a Heavy Forwarder, you'll want to deploy the Splunk App for Stream on the HF and configure your inputs.conf to point at port 8000 on the HF (or which ever server you decide to use for configuration).
So, after browsing around on Answers I've learned that Stream uses the Rest API to pull config from port 8000 on the machine that has the Splunk app for Stream installed. Events are sent up on the normal port.
That leads me to believe that I -should- install the app on my HF and then build a deployment package that references the HF on port 8000. Stream management can then be done from splunk web on that HF. Which actually sounds like a good way to keep my stream configurations separated between segments. (Not all of our segments should have the same stream configuration)
You've got it right, that's basically what the inputs.conf is saying.
As for keeping configurations separate, the latest version of the Stream app has a feature called Distributed Forwarder Management (DFM) that let's you define groups, and associate Streams with these groups. You can then place UFs into the Forwarder groups and control Stream configurations that way as well.
You can find out more about DFM here: http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/DistributedForwarderManagement