All Apps and Add-ons

Install Splunk App for Stream on Single Instance

Contributor

Hello,

I am doing a POC for Stream app to monitor DB activity and tried to install the app on single instance acting as search head and indexer. Also I installed UF and placed the SplunkTAstream in app folder of UF. I got some data initially for TNS and other default data but it stopped after sometime.

I am confused as do we really need to use UF for single instance deployment as I think only install from web will be fine as it configured wire data input automatically and default data was coming in. Also seen streamfwd log for UF and it states that wincap driver is already loaded and port is in use. Please advise.

I am trying to remove UF and reinstalling again for single instance and will post results.

Splunk v6.2.4
Stream App v6.4.2
OS: Windows 2008R2 64 bit

0 Karma

Splunk Employee
Splunk Employee

Correct - you only need one instance of SplunkTAstream running, so your single instance Splunk instance that has the Wire Data input enabled (which is the default) should be sufficient and you don't need the UF.

Contributor

Thanks vshcherbakov_splunk , it is working fine. For Single instance UF deployment is not required.

I am getting the data and it is populating DB activity. I have one question: is it possible to capture the response from the DB back? Say I am running select statements and can see most of the data in dashboard as captured in packets, can we capture the response given by DB?

Thanks
Hemendra

0 Karma

Splunk Employee
Splunk Employee

Stream currently doesn't extract data from DB server responses beyond flow-level analytics. This is something we're planning to add in one of the future versions of Stream, but I cannot promise/give dates/etc..

0 Karma

Contributor

Thanks for the response. We will wait for the upgraded version.

0 Karma

Contributor

Hello,

I tested on source machine and it was working fine. Thanks for your help.
Our client asked to check if it can be done on target side(DB). I did the testing and app was not working and throwing error(Unable to initialize modular input "streamfwd" defined inside the app "SplunkTAstream": Unable to locate suitable script for introspection.). On checking in this forum found that app is not supported on Solaris Platform. Can you please confirm if that is the case and if there are any plan to support the app on Solaris.

Thanks
Hemendra

0 Karma

Splunk Employee
Splunk Employee

This is correct - SplunkTAstream is supported on Linux (32/64 bit), Windows (64 bit) and OS X platforms. I'm not aware of any plans to support Stream TA on Solaris, although it may (or may not) change in future.

Meanwhile, you can capture your Solaris servers network traffic on a separate machine (or VM) if you can set up a SPAN port or network tap to mirror your database traffic to that machine/VM. This is a fairly common approach to network monitoring with its own advantages and disadvantages.

0 Karma

Contributor

Hi,

Thanks for your quick response. I was checking your suggestion and read network collection arch topic in doc. So what I understood is that we need to have a dedicated collection node (UF +TAStream installed) which can get the data from Solaris DB servers over SPAN port and send the data to Heavy Forwarder (TAStream installed) -> indexer(TAStream installed) -> search head{Stream app + TAStream(disabled) installed}.
For the configuration part TAStream streamfwd binary should be able to communicate with Stream app so stream app location need to be specified on (collection node TAStream /HF TAstream/IDX TAstream)??

Really appreciate all your help on this!!

Thanks
Hemendra

0 Karma

Splunk Employee
Splunk Employee

Hi Hemendra,

Your understanding is pretty much correct. A couple of minor notes though:

  • Heavy Forwarder is optional - you can send Stream data to the indexer directly from the dedicated collection node (UF + TA_Stream).
  • TAStream should be disabled on the indexer, too, unless you're planning to collect network data on the indexer box (which is unlikely). The only place where StreamTA needs to be enabled is the wire data collection node.
    • TAStream need to be configured with the proper stream app location URL only on the node(s) where it's enabled (i.e. the collection node). The other nodes - indexer(s), search head(s), HF (if any) - only need the TAStream installed (disabled) so that they're aware of Stream's props.conf and transforms.conf. There's no need to fully configure TA_Stream on these nodes.

Please let us know if you have any further questions.

--Vladimir

0 Karma