Re: Splunk Add-on for Stream

gitau_gm

In our Splunk cloud instance, we recently had Stream installed and we are testing on one of the servers. Getting a 401 error, that points to an authentication issue.

What is the correct position?

Do we create a HEC token for Stream or does the app have a preconfigured key?

marnall

According to the Splunk Stream for Cloud deployment architecture, you need a HEC token only if you are using a Independent Stream Forwarder (ISF). If the Stream Add-on for Stream Forwarders is installed on a universal or heavy forwarder, then the data is sent to the indexers via the Splunk2Splunk protocol. If you are receiving any logs from your server already, then your Splunk2Splunk data stream authentication is working.

If you are using the add-on on the universal forwarder, then it does request stream configurations from the search head and will likely need to authenticate these requests. Are your internal logs showing status:401 errors connecting to the /streams/ endpoint of your Splunk cloud tenant?

Ref: https://help.splunk.com/en/splunk-cloud-platform/collect-stream-data/install-and-configure-splunk-st...

Splunk Add-on for Stream

configuration

troubleshooting

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation