Skip to main content
Version: 2.0.0

Splunk

Standalone Search Head

  1. Install the provided .spl using the Web GUI or the CLI.
  2. Configure Cribl Stream instances and collectors using the configuration dashboards

Search Head Cluster

  1. Unpack the provided .spl to $SPLUNK_HOME/etc/shcluster/apps on the deployer
  2. Deploy the app bundle to the search head cluster
  3. Configure Cribl Stream instances and collectors using the configuration dashboards

Upgrade from UTStream 1.0.0

On-Premise Splunk Enterprise

  1. Update UTStream to 2.0.0
  2. Move local/cribl_instance.conf to local/utstream_instance.conf
  3. Add cribl_roles to each stanza in local/utstream_instance.conf
  4. Add entries to local/passwords.conf for each instance using the following API call:
    curl -k -u <username>:<password> https://localhost:8089/servicesNS/nobody/SA-DP-utstream/storage/passwords -d name=<username> -d password=<password> -d realm=<instance_name>
    No further action is required in case of a A password already exists error.
  5. Restart Splunk

Splunk Cloud

As it is not possible to rename files in Splunk Cloud an upgrade is not possible. Please uninstall UTStream 1.0.0 and install UTStream 2.0.0.