All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk App for Stream: forwarder configuration

goancea
Explorer
‎08-13-2014 12:25 PM

We completed the installation of the app and of course, had to manually copy the Splunk_TA_stream to the app/ directory,on the indexer. What wasn't clear to me was what has to be installed on the forwarder? Do we do the same install manually or just copy the Splunk_TA_steam directory structure over to the etc/deployment-apps/ location on the forwarder? It would appear that we need to have the streamfwd executable, and setuid to root at a minimum. Do we then setup a new wire data entry that points to the forwarder?
The forwarder setup isn't clear to me yet.

Reply
1 Solution
Solved! Jump to solution
Solution

sroback_splunk
Splunk Employee
Splunk Employee
‎08-13-2014 04:20 PM

hi. Yes, you can just copy the Splunk_TA_stream from the $SPLUNK_HOME/etc/deployment-apps directory to $SPLUNK_HOME/etc/apps on the forwarder. Splunk_TA_stream contains the streamfwd executable. The Wire Data (streamfwd) modular input in the deployment-apps directory is enabled by default. No need to set up an additional Wire Data input. Make sure to restart splunk after installing Splunk_TA_stream

For Splunk App for Stream installation instructions, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/InstallSplunkAppforStream

For common installation issues, see this troubleshooting item, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/Troubleshooting#Splunk_TA_stre...

View solution in original post

Reply
Solved! Jump to solution
Solution

sroback_splunk
Splunk Employee
Splunk Employee
‎08-13-2014 04:20 PM

hi. Yes, you can just copy the Splunk_TA_stream from the $SPLUNK_HOME/etc/deployment-apps directory to $SPLUNK_HOME/etc/apps on the forwarder. Splunk_TA_stream contains the streamfwd executable. The Wire Data (streamfwd) modular input in the deployment-apps directory is enabled by default. No need to set up an additional Wire Data input. Make sure to restart splunk after installing Splunk_TA_stream

For Splunk App for Stream installation instructions, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/InstallSplunkAppforStream

For common installation issues, see this troubleshooting item, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/Troubleshooting#Splunk_TA_stre...

Reply
Solved! Jump to solution

greathera
Explorer
‎07-09-2015 09:25 PM

It would be helpful if the documentation were updated to include more detail for installing the stream forwarder. Also, there is no mention of how to install the Stream App for a distributed deployment of Splunk. Does the full app get installed on the Search Head and the Indexer? All the documentation assumes a *nix O.S. How would the installation change for Windows?

Reply
Solved! Jump to solution

sroback_splunk
Splunk Employee
Splunk Employee
‎07-10-2015 12:53 PM

Hi.

Splunk_TA_stream (aka stream forwarder) is installed with the Splunk app for Stream package. In a distributed environment you can use the deployment server to push the Splunk_TA_stream out to new forwarders or manually install the TA on forwarders. This is covered in the following doc:
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/InstallSplunkAppforStream#Splun...

In a distributed deployment, you must install the Splunk_TA_stream on forwarders and indexers. The Stream app itself only requires installation on search heads. This is covered in the Distributed Deployment section of the Deployment Architectures documentation:
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/DeploymentArchitecture

In terms of Windows installation, the process is identical to Linux/OSX, with the exception that splunkd does not require root privileges on Windows. See Install Splunk App for Stream, Step 3: http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/InstallSplunkAppforStream#Step_...

Hope this helps.
Steven

0 Karma
Reply
Solved! Jump to solution

goancea
Explorer
‎08-14-2014 07:20 AM

As sroback_splunk stated, simply copying Splunk_TA_stream/ under the apps/ area worked for me. Since we don't have the executable as setuid root yet, the streamfwd.log file won't be created in the / directory until the perms are updated. Verified by seeing streamfwd info in the splunkd.log file.

Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top