Use Stream configuration templates

Stream configuration templates are pre-defined Stream configurations that provide protocol field mappings for Splunk products.

  • Splunk IT Service Intelligence (ITSI): ITSI configuration templates provide custom protocol fields that map to metrics in Splunk ITSI modules.
  • Enterprise Security (ES): ES configuration templates provides custom protocol fields that map to CIM data models used in Splunk ES.

You can apply configuration templates to the streamfwd binary using command line options, which lets you configure data capture. Both the Stream forwarder and the ISF support configuration templates.

Activate Stream configuration templates

To activate a Stream configuration template, add the configTemplateName=<product name> parameter to streamfwd.conf. You can use streamfwd command options to add this parameter or manually edit the streamfwd.conf file. You can use one active Stream configuration template at a time.

Stream provides the following streamfwd command options to activate, deactivate, or list installed templates: 

  -c [TEMPLATE_NAME]           Activate specified product template.
  -c                           Deactivate any active product template.
  --listtemplates              List installed product templates.

For example, to activate the ITSI configuration template: 

./streamfwd -c itsi

Example: Activate configuration template in the Splunk Stream Forwarder

To activate the itsi configuration template for Splunk_TA_stream:

  1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin.
  2. Run the following command: 
    [root@sr-centos2 bin]# ./streamfwd -c itsi
configuration template located at /opt/splunk/etc/apps/Splunk_TA_stream/configs/itsi activated.
  3. Restart Splunk.
  4. Confirm that the configTemplateName = itsi parameter has been added to Splunk_TA_stream/local/streamfwd.conf. For example: 
    [streamfwd]
port = 8889
ipAddr = 127.0.0.1

configTemplateName = itsi

Example: Activate configuration template for Independent Stream Forwarder

Independent Stream Forwarder deployments use HTTP Event Collector (HEC) to send data to indexers. When you activate a configuration template for an Independent Stream Forwarder deployment, you manually add one or more indexer.0.uri = <indexer_location> parameters to specify indexer locations.

To activate the es configuration template for an Independent Stream Forwarder deployment:

  1. Go to opt/streamfwd/bin.
  2. Run the following command: 
    [root@sr-centos2 bin]# ./streamfwd -c es
configuration template located at /opt/streamfwd/configs/es is activated.
  3. Restart streamfwd.
  4. Add indexer.<N>.uri = <indexer_location> parameters to specify indexer locations. For example: 
    [streamfwd]
port = 8889
ipAddr = 127.0.0.1

configTemplateName = es
indexer.0.uri = http://soln-perf110-1:8088
indexer.1.uri = http://soln-perf11-2:8088