Installing and configuring Splunk Stream (2024)

Implementation

1. Within the Splunk Stream app, select Configuration > Configure Streams.

2. The Configure Streams dashboard displays the default settings for protocol information to be collected. You mightwant to disable the defaults, then select the protocol and details to create your new stream. You can select all of the available protocols and disable them all at once, by clicking the checkbox next to Name on the title bar.

3. After selecting all of the protocols, click the Disable option.
4. Create a new stream for collecting the DNS details that you'd like to capture. Start by clickingthe New Stream button, then Metadata Stream.

5. This takes you into a workflow that allows you to configure the stream. Select DNS as the protocol in the Basic Info step of the workflow.

6. Give the streama name and description with some context to help you to identify the data, then click Next.

7. On the Aggregation step, selectNo for aggregation, then click Next. (You don't want aggregation because you want to see the individual DNS records.)

8. On the Fields screen, select the fields (specific to DNS) that you want to collect and store. Note that some fields,not all fields are selected by default. For proper security alerting and investigation, we recommend thatyou enable at least the following fields:

• bytes
• bytes_in
• bytes_out
• dest_ip
• dest_mac
• dest_port
• flow_id
• host_addr
• host_type
• hostname
• message_type
• name
• query
• query_type
• reply_code
• reply_code_id
• reverse_addr
• src_ip
• src_mac
• src_port
• transaction_id
• transport
• ttl

After you've selected the DNS fields that you'd like to collect, click Next.

9. (Optional)Define the filtering of the collected data on the Filters screen. The filters are based on the fields you selected on the previous screen. For example, if you only wanted Stream to capture queries for external domains, you could define that here. At this stage, defining filters is optional because you might want to adjust filters later afteryou've collected data for a while and know what you have and what you'd like to keep or discard.

10. Select the Next button again to go to the Settings screen, where you'll define the destination index for your DNS data.
11. Select the destination index from the dropdown menu. This will be the index you have already created and are going to store DNS data in. If you don't see the expected index listed here, it is because you never created the index. Do so now.We recommend creating the same indexes on the Search Head running the Stream App as the Indexers. Although Stream won'tstore data in those indexes,it will show up in the dropdown here. In our example we are storing data to the netdns index.

12. You cannow choose to save the configuration in Disabled mode, if you're notready to begin collecting data. You can also put it into Estimate mode to get an idea of how much data you'll be collecting after the configuration is enabled.

13. Click Nextto go to the Groups screen. Here, you canselect a group with which to associate the Stream configuration. You can follow the Distributed Forwarder Management documentation to create and manage forwarder groups to manage which Streams apply to which groups and machines. Use either the default group, or select the group you would like the configuration to apply to. Finally, click Create Stream to save your configuration.

Validation

If you've enabled the configuration, you should now be collecting DNS data. You can validate this by searching for:

index=<dns_index> sourcetype=stream:dns

Replace<dns_index> with the index you created to store your DNS data.

You should able to see JSON blobs of DNS transactions, with fields available on the left.