All Apps and Add-ons

Splunk App for Stream: forwarder configuration

Explorer

We completed the installation of the app and of course, had to manually copy the Splunk_TA_stream to the app/ directory,on the indexer. What wasn't clear to me was what has to be installed on the forwarder? Do we do the same install manually or just copy the Splunk_TA_steam directory structure over to the etc/deployment-apps/ location on the forwarder? It would appear that we need to have the streamfwd executable, and setuid to root at a minimum. Do we then setup a new wire data entry that points to the forwarder?
The forwarder setup isn't clear to me yet.

1 Solution

Splunk Employee
Splunk Employee

hi. Yes, you can just copy the SplunkTAstream from the $SPLUNKHOME/etc/deployment-apps directory to $SPLUNKHOME/etc/apps on the forwarder. SplunkTAstream contains the streamfwd executable. The Wire Data (streamfwd) modular input in the deployment-apps directory is enabled by default. No need to set up an additional Wire Data input. Make sure to restart splunk after installing SplunkTAstream

For Splunk App for Stream installation instructions, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/InstallSplunkAppforStream

For common installation issues, see this troubleshooting item, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/Troubleshooting#Splunk_TA_stre...

View solution in original post

Splunk Employee
Splunk Employee

hi. Yes, you can just copy the SplunkTAstream from the $SPLUNKHOME/etc/deployment-apps directory to $SPLUNKHOME/etc/apps on the forwarder. SplunkTAstream contains the streamfwd executable. The Wire Data (streamfwd) modular input in the deployment-apps directory is enabled by default. No need to set up an additional Wire Data input. Make sure to restart splunk after installing SplunkTAstream

For Splunk App for Stream installation instructions, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/InstallSplunkAppforStream

For common installation issues, see this troubleshooting item, see:
http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/Troubleshooting#Splunk_TA_stre...

View solution in original post

Explorer

It would be helpful if the documentation were updated to include more detail for installing the stream forwarder. Also, there is no mention of how to install the Stream App for a distributed deployment of Splunk. Does the full app get installed on the Search Head and the Indexer? All the documentation assumes a *nix O.S. How would the installation change for Windows?

Splunk Employee
Splunk Employee

Hi.

SplunkTAstream (aka stream forwarder) is installed with the Splunk app for Stream package. In a distributed environment you can use the deployment server to push the SplunkTAstream out to new forwarders or manually install the TA on forwarders. This is covered in the following doc:
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/InstallSplunkAppforStream#Splun...

In a distributed deployment, you must install the SplunkTAstream on forwarders and indexers. The Stream app itself only requires installation on search heads. This is covered in the Distributed Deployment section of the Deployment Architectures documentation:
http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/DeploymentArchitecture

In terms of Windows installation, the process is identical to Linux/OSX, with the exception that splunkd does not require root privileges on Windows. See Install Splunk App for Stream, Step 3: http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/InstallSplunkAppforStream#Step_...

Hope this helps.
Steven

0 Karma

Explorer

As sroback_splunk stated, simply copying Splunk_TA_stream/ under the apps/ area worked for me. Since we don't have the executable as setuid root yet, the streamfwd.log file won't be created in the / directory until the perms are updated. Verified by seeing streamfwd info in the splunkd.log file.