We have a setup with multiple Search Heads, Indexers, Universal Forwarders, Heavy Forwarders.
we are trying to setup Splunk-app-for-Stream to collect stream data from Universal Forwarders into Search Head.
we have gone through tons of documentation, no use. There is no proper documentation for this scenario.
we understand that we needed to install Splunk app for stream on Search Head and Splunk_TA_Stream on the Forwarder and indexer as well.
we followed the following steps :
1. Download splunk-app-for-stream_642 from SplunkBase and install on SH
2. Download Splunk_TA_Stream on Univforwarder and enable wiredata input
3. Configure Splunk_TA_stream/local/inputs.conf
• Changes done in forwarder.
-bash-4.1$ cat /opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
. Input.conf
[streamfwd://streamfwd]
splunk_stream_app_location = https://FQDN-of-SearchHead:8000/splunk/en-US/app/splunk_app_stream/
disabled = 0
Now I don't have any idea on what needs to be done on Indexer?
Anyone who has a clear steps on this type of configuration please help !!!
currently I don't see any data with source=stream* coming into SH!!!
↧