We completed the installation of the app and of course, had to manually copy the Splunk_TA_stream to the app/ directory,on the indexer. What wasn't clear to me was what has to be installed on the forwarder? Do we do the same install manually or just copy the Splunk_TA_steam directory structure over to the etc/deployment-apps/ location on the forwarder? It would appear that we need to have the streamfwd executable, and setuid to root at a minimum. Do we then setup a new wire data entry that points to the forwarder?
The forwarder setup isn't clear to me yet.
hi. Yes, you can just copy the SplunkTAstream from the $SPLUNKHOME/etc/deployment-apps directory to $SPLUNKHOME/etc/apps on the forwarder. SplunkTAstream contains the streamfwd executable. The Wire Data (streamfwd) modular input in the deployment-apps directory is enabled by default. No need to set up an additional Wire Data input. Make sure to restart splunk after installing SplunkTAstream
For Splunk App for Stream installation instructions, see:
For common installation issues, see this troubleshooting item, see:
As sroback_splunk stated, simply copying Splunk_TA_stream/ under the apps/ area worked for me. Since we don't have the executable as setuid root yet, the streamfwd.log file won't be created in the / directory until the perms are updated. Verified by seeing streamfwd info in the splunkd.log file.
It would be helpful if the documentation were updated to include more detail for installing the stream forwarder. Also, there is no mention of how to install the Stream App for a distributed deployment of Splunk. Does the full app get installed on the Search Head and the Indexer? All the documentation assumes a *nix O.S. How would the installation change for Windows?
SplunkTAstream (aka stream forwarder) is installed with the Splunk app for Stream package. In a distributed environment you can use the deployment server to push the SplunkTAstream out to new forwarders or manually install the TA on forwarders. This is covered in the following doc:
In a distributed deployment, you must install the SplunkTAstream on forwarders and indexers. The Stream app itself only requires installation on search heads. This is covered in the Distributed Deployment section of the Deployment Architectures documentation:
In terms of Windows installation, the process is identical to Linux/OSX, with the exception that splunkd does not require root privileges on Windows. See Install Splunk App for Stream, Step 3: http://docs.splunk.com/Documentation/StreamApp/6.3.0/DeployStreamApp/InstallSplunkAppforStream#Step_...
Hope this helps.