icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

Thank You

Downloading Splunk Stream
SHA256 checksum (splunk-stream_720.tgz) 882aea5f48c2f43d06fb0bbbd15b60f4ea5da3225154f6664c70c365973c2996 SHA256 checksum (splunk-stream_713.tgz) 49e2518b081cc030be1cfdd6fc16d0f35ca9ed8f62d3c73458a5d023b4b5e7ae
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Splunk Stream

Splunk Built
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Splunk Stream is the purpose-built wire data collection and analytics solution from Splunk. Passively capture packets, dynamically detect application, parse the protocol, and send metadata back to your Indexer for over 30 protocols. Detection only for over 300 commercial protocols, even if encrypted.

Targeted full packet capture to NAS for forensic investigation of raw packets. Aggregate data using familiar SPL aggregation methods to reduce the volume of data indexed. Capture Flow-type records, including NetFlow v5, v9, jFlow, and sFlow, and IPFIX, and send Flow Records directly into your Indexers, with optional filtering and aggregation.

Ingest PCAP files in real-time or on-demand. Create MD5 hashes of file attachments for Threat Intelligence correlations using Splunk ES, and extract and store those reassembled files for forensic or DLP purposes. Parse SQL statements to help understand user intent. Understand IP client-server connections with patent-pending visualization.

Install Splunk Stream

  1. Click Download on this page. The splunk-stream_720.tgz installer file downloads to your computer.
  2. Log into Splunk Web.
  3. Click Apps > Manage Apps.
  4. Click Install App from File.
  5. Upload the splunk-stream_720.tgz installer file.
  6. Restart Splunk.

For detailed installation instructions, see Install Splunk Stream.

Splunk Stream components

Splunk Stream includes the following components:

• splunk_app_stream: splunk_app_stream provides configuration management for Splunk_TA_stream. You can use splunk_app_stream to configure event capture for multiple network protocols. See Supported Protocols.

• Splunk_TA_stream: Splunk_TA_stream contains the Stream Forwarder (streamfwd binary), which passively captures event data from network devices, and sends that data to Splunk Enterprise indexers using a "Wire Data" modular input.

• Independent Stream forwarder: Splunk Stream supports independent Stream forwarder installation on compatible Linux machines. Independent Stream Forwarder deployment is useful, for example, for capturing network data from Linux hosts that you want to monitor as part of a network service in a Splunk IT Service Intelligence (ITSI) deployment. No Splunk platform components are required on the machine where you install Stream Forwarder.

Important: You must be running splunkd with "root" privileges for the streamfwd binary to capture data. To set privileges on *nix:

  1. Go to $SPLUNK_HOME/etc/apps/Splunk_TA_stream.
  2. Issue the command sudo sh ./set_permissions.sh

On Windows, you must be running as administrator or install winpcap separately.

Source and sourcetype syntax

All captured events have "source=stream:stream-id" and "sourcetype=stream:protocol", where ID is typically the name of a protocol. For example, "sourcetype=stream:http."

Splunk Enterprise version requirements

Splunk Stream version 7.2.0 requires Splunk Enterprise version 7.2 or later.

For complete Splunk Stream documentation, see Splunk Stream documentation.

Release Notes

Version 7.2.0
Dec. 12, 2019

Please see the release notes here -

Version 7.1.3
April 17, 2019

Please see the release notes here -


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.