We completed the installation of the app and of course, had to manually copy the Splunk_TA_stream to the app/ directory,on the indexer. What wasn't clear to me was what has to be installed on the forwarder? Do we do the same install manually or just copy the Splunk_TA_steam directory structure over to the etc/deployment-apps/ location on the forwarder? It would appear that we need to have the streamfwd executable, and setuid to root at a minimum. Do we then setup a new wire data entry that points to the forwarder?
The forwarder setup isn't clear to me yet.
hi. Yes, you can just copy the Splunk_TA_stream from the $SPLUNK_HOME/etc/deployment-apps directory to $SPLUNK_HOME/etc/apps on the forwarder. Splunk_TA_stream contains the streamfwd executable. The Wire Data (streamfwd) modular input in the deployment-apps directory is enabled by default. No need to set up an additional Wire Data input. Make sure to restart splunk after installing Splunk_TA_stream
For Splunk App for Stream installation instructions, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/InstallSplunkAppforStream
For common installation issues, see this troubleshooting item, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/Troubleshooting#Splunk_TA_stre...
hi. Yes, you can just copy the Splunk_TA_stream from the $SPLUNK_HOME/etc/deployment-apps directory to $SPLUNK_HOME/etc/apps on the forwarder. Splunk_TA_stream contains the streamfwd executable. The Wire Data (streamfwd) modular input in the deployment-apps directory is enabled by default. No need to set up an additional Wire Data input. Make sure to restart splunk after installing Splunk_TA_stream
For Splunk App for Stream installation instructions, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/InstallSplunkAppforStream
For common installation issues, see this troubleshooting item, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/Troubleshooting#Splunk_TA_stre...
It would be helpful if the documentation were updated to include more detail for installing the stream forwarder. Also, there is no mention of how to install the Stream App for a distributed deployment of Splunk. Does the full app get installed on the Search Head and the Indexer? All the documentation assumes a *nix O.S. How would the installation change for Windows?
Hi.
Splunk_TA_stream (aka stream forwarder) is installed with the Splunk app for Stream package. In a distributed environment you can use the deployment server to push the Splunk_TA_stream out to new forwarders or manually install the TA on forwarders. This is covered in the following doc:
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/InstallSplunkAppforStream#Splun...
In a distributed deployment, you must install the Splunk_TA_stream on forwarders and indexers. The Stream app itself only requires installation on search heads. This is covered in the Distributed Deployment section of the Deployment Architectures documentation:
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/DeploymentArchitecture
In terms of Windows installation, the process is identical to Linux/OSX, with the exception that splunkd does not require root privileges on Windows. See Install Splunk App for Stream, Step 3: http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/InstallSplunkAppforStream#Step_...
Hope this helps.
Steven
As sroback_splunk stated, simply copying Splunk_TA_stream/ under the apps/ area worked for me. Since we don't have the executable as setuid root yet, the streamfwd.log file won't be created in the / directory until the perms are updated. Verified by seeing streamfwd info in the splunkd.log file.