Install an Independent Stream Forwarder for Splunk Cloud

Splunk App for Stream (splunk_app_stream) generates a curl script that you can run from the command line to install the forwarder.

Before you deploy an Independent Stream Forwarder (ISF) you must have an HTTP Event Collector (HEC) enabled and you must have a HEC token for Splunk Stream. For best practices, name the token "streamfwd". For more information, see HEC and managed Splunk Cloud

Install an Independent Stream Forwarder

  1. In the Splunk App for Stream main menu, click Configure > Distributed Forwarder Management.
  2. Click Install Stream Forwarder. The Install Stream Forwarder window appears.
  3. Copy the curl script.
  4. SSH into the Linux machine where you want to install the Independent Stream Forwarder.
  5. Run the curl script that you copied from splunk_app_stream. For example: 
    curl -sSL http://stream-cont-func02:8000/en-us/custom/splunk_app_stream/install_streamfwd | sudo bash
  6. At each prompt to download and install, type Yes. At the prompt to start the streamfwd binary, type "Yes".

Optionally run the curl script in fully automated mode without prompts

  1. Run the curl script that you copied from splunk_app_stream with the following parameters appended: -s -- --accept-defaults. 
    curl -sSL http://stream-cont-func02:8000/en-us/custom/splunk_app_stream/install_streamfwd | sudo bash -s -- --accept-defaults
  2. In the [streamfwd] stanza, specify the HEC token value 
    [streamfwd]
httpEventCollectorToken = 6fe91580-2156-4644-8416-8b8d22b197ab
  3. Start the streamfwd service. 
    sudo service streamfwd start
  4. Confirm that the splunk_stream_app_location address is set correctly in /opt/streamfwd/local/inputs.conf.