Splunk Data Stream Processor

Splunk Stream on single instance deployment (Linux) in a Windows environment

adamsmith47
Communicator

We have a very small test enviroment, with a single instance Splunk server (running on Linux) and a handful of Windows servers with UFs installed.

I'm attempting to use Splunk Stream to monitor NIC traffic on the Windows UFs. Following the Splunk Stream docs precisely is confusing (and in many cases just wrong). https://docs.splunk.com/Documentation/StreamApp/7.4.0/DeployStreamApp/AboutSplunkStream

I'm at the point I want to use the Splunk server's deployment server functionality to distribute the Splunk_TA_stream to the Windows UFs, but I'm confused on how to properly configure the Splunk_TA_stream app before deploying it. (Docs say, Splunk_TA_stream will be installed in SPLUNK_HOME/etc/deployment-apps preconfigured... this is certainly not true in my case.)

I'm at a loss of how to configure Splunk_TA_stream before deploying it (via deployment server) to the Windows UFs.

Any insight is greatly appreciated.

Thanks

Labels (2)
0 Karma

devinmarco
New Member

Yes, Splunk Stream can be deployed on a single instance in a Windows environment. However, as you mentioned, there are some limitations to this deployment method.

One limitation is that you will not be able to use the Splunk Stream Universal Forwarder (UF) in a Windows environment. The UF is a Linux-only application that is used to collect data from Windows servers and send it to Splunk Stream. If you are deploying Splunk Stream on a single instance in a Windows environment, you will need to use the Splunk Stream Forwarder instead. The Splunk Stream Forwarder is a Windows-based application that can be used to collect data from Windows servers and send it to Splunk Stream.

Another limitation to deploying Splunk Stream on a single instance in a Windows environment is that you will not be able to take advantage of the Splunk Stream clustering feature. Clustering allows you to scale Splunk Stream by distributing the load across multiple Splunk Stream servers. If you are deploying Splunk Stream on a single instance in a Windows environment, you will not be able to take advantage of this feature.

Despite these limitations, deploying Splunk Stream on a single instance in a Windows environment can be a viable option for small deployments. If you are only collecting data from a few Windows servers, then the Splunk Stream Forwarder may be sufficient for your needs. Additionally, if you do not need to scale Splunk Stream, then you may not need to use the clustering feature.

Ultimately, the decision of whether or not to deploy Splunk Stream on a single instance in a Windows environment depends on your specific needs. If you are unsure of whether or not this deployment method is right for you, then I recommend that you contact Splunk support for assistance.

 
 
 
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...