Hi all!
I am just getting started with an environment that we've somewhat inherited from another team within our org. For a variety of reasons, we use Heavy Forwarders to aggregate and forward data out of our network segments. We've been wanting to use the Splunk app for Stream to capture SIP traffic from a few of our nodes.
Today, I decided to try and figure out the installation plan, which has me very confused.
First, I'm not sure whether the Splunk app for Stream needs to be installed on our Indexers, Heavy Forwarders, or our Deployment Server. (Btw, we use a stand-alone deployment server)
Second, once Splunk app for Stream is installed, I know I'll need to deploy the Stream TA package to my Universal Forwarders. I've found that with the base configuration, just deploying the package with no modifications leads to my Universal Forwarders receiving an inputs.conf such as the following:
[streamfwd://streamfwd]
splunk_stream_app_location = https://DeploymentServerAddress:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id =
disabled = 0
I assume, that this isn't what I want. Or maybe it is. Is this address just used as the management node for the stream app? (For example, protocol configuration?)
I was figuring that I should have the Splunk app for Stream installed on my Heavy Forwarder, and as such, have the inputs.conf directed like:
[streamfwd://streamfwd]
splunk_stream_app_location = https://HeavyForwarderAddress:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id =
disabled = 0
Additional questions:
If my assumptions are correct - Under data inputs, does streamfwd need to be enabled on the Heavy Forwarder?
In the inputs.conf, under streamfwd can I specify which Index I would like the data in?
Picture for reference:
... View more