topic Re: Stream App: Configuring the streamfwd.xml in All Apps and Add-ons

Stream App: Configuring the streamfwd.xml

w0lverineNOP — Mon, 28 Sep 2020 19:13:18 GMT

Following the Documentation provided by splunk. I inserted the following in the streamfwd.xml file in $Splunk_Home/etc/apps/Splunk_TA_stream/local

*
/opt/splunk/pcaps/data.cap
true
tcp port 80
false
true
1000000
*
I do have "capture" in the xml script (will not let me add it in their)
But I am getting an error in the file:
Checking configuration...Error while parsing '/opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.xml*' :
junk after document element: Line 9 column 0 ; which is the line beginning with capture

Re: Stream App: Configuring the streamfwd.xml

mdickey_splunk — Thu, 12 Mar 2015 22:08:52 GMT

That message is a generic XML parsing error. You might want to try opening the file in an XML editor to see what is wrong, or post the entire file here.

Re: Stream App: Configuring the streamfwd.xml

w0lverineNOP — Thu, 12 Mar 2015 22:16:30 GMT

I wish I could upload screen captures but I do not have enough points yet. But imagine the above script without the 5. and adding capture at the beginning and the end of the script.

Re: Stream App: Configuring the streamfwd.xml

w0lverineNOP — Thu, 12 Mar 2015 22:19:09 GMT

In the streamfwd.xml file do I need to delete the previous xml script in it before I add my capture script into the streamfwd.xml?

Re: Stream App: Configuring the streamfwd.xml

jsie_splunk — Mon, 28 Sep 2020 19:09:50 GMT

Hi w0lverineNOP,

You could try this snippet for your Capture section and see if that gets you up and running:

<Capture>
    <Interface>/opt/splunk/pcaps/data.cap</Interface>
    <Offline>true</Offline>
    <Filter>tcp port 80</Filter>
    <Repeat>false</Repeat>
    <SysTime>true</SysTime>
    <BitsPerSecond>1000000</BitsPerSecond>
</Capture>

Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:

$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd  -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000

(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)

Regards,
Jackson

Re: Stream App: Configuring the streamfwd.xml

w0lverineNOP — Fri, 13 Mar 2015 14:39:23 GMT

Yes perfect! but which path do I need to be in to run streamfwd? It says:
Streamfwd command not found

I was in in my $Splunk_Home when I ran the command

Re: Stream App: Configuring the streamfwd.xml

jsie_splunk — Fri, 13 Mar 2015 14:43:15 GMT

Updated... 🙂

Re: Stream App: Configuring the streamfwd.xml

w0lverineNOP — Fri, 13 Mar 2015 15:02:15 GMT

Well that was well hidden. And I ran the command as directed in the ..../bin folder and I am still getting "streamfwd: command not found" error again.

streamfwd is in the directory. Splunk is running and I ran it as root. ...Give me a few minutes I am going to re-install the whole app again. (I might have fooled with something earlier)

Re: Stream App: Configuring the streamfwd.xml

w0lverineNOP — Mon, 28 Sep 2020 19:13:29 GMT

Okay. In the GUI. I get an error once I re-installed the stream app and enabled the streamfwd (had to restart again) it says the following:

Unable to intialize the modular input "streamfwd" defined inside the app "Splunk_TA_stream": Unable to locate suitable script for introspection

I went into the script section and I have 4 scripts (I have no other app installed) and both .py scripts are enabled. Any suggestions?

Re: Stream App: Configuring the streamfwd.xml

w0lverineNOP — Fri, 13 Mar 2015 23:14:45 GMT

./streamfwd is the answer ha

Re: Stream App: Configuring the streamfwd.xml

Lindaiyu — Fri, 29 May 2015 08:46:27 GMT

Hello,
I tried the second way by command line and it can work, however the first way that change the xml file doesnt work and I dont know why, could you give me some help, thank you very much

Re: Stream App: Configuring the streamfwd.xml

mdickey_splunk — Fri, 29 May 2015 23:40:53 GMT

The only difference between the XML config and the command line above is the <Filter> and <SysTime> nodes. Try removing those and it should work the same. It could be that your pcap doesn't contain "tcp port 80" packets.

Re: Stream App: Configuring the streamfwd.xml

Lindaiyu — Mon, 01 Jun 2015 09:23:15 GMT

Yes, because I used a proxy and there is nothing in port 80 when I delete the <filter>, it works now and thank you very much