topic Splunk Stream App - Ingest Pcap issue in Splunk Enterprise Security

Splunk Stream App - Ingest Pcap issue

psychogyiokosta — Thu, 09 Jan 2020 12:03:25 GMT

I installed Splunk Stream App and i try to ingest a pcap file into Splunk.

Specifically i select: Settings > Data Inputs > Pcap Files: Add New

Then i fill-in the required information as prompted by Splunk guide here: https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/UseStreamtoparsePCAPfiles

and click Next. I can see the file being loaded for a few seconds, but then nothing happens. I can;'t continue to the 2nd and last step of the uploading process "Done".

streamfwd.conf:

[streamfwd]
streamfwdcapture.0.offline = true
streamfwdcapture.0.interface = /path/to/pcap/testbed-13jun.pcap
streamfwdcapture.0.repeat = true

What am i doing wrong? Thank you.

Re: Splunk Stream App - Ingest Pcap issue

uagrawal_splunk — Thu, 09 Jan 2020 13:14:40 GMT

You are trying to upload the .pcap file or .cap file? In which Splunk version and Stream version you are facing an issue ?

Re: Splunk Stream App - Ingest Pcap issue

psychogyiokosta — Thu, 09 Jan 2020 13:20:11 GMT

hello, i am using Splunk Enterprise 8.0.0 & Splunk Stream 7.2.0 and i am trying to upload/index a .pcap file yes.

Re: Splunk Stream App - Ingest Pcap issue

uagrawal_splunk — Wed, 30 Sep 2020 03:34:09 GMT

I came across one known issue of uploading the pcap files from UI: https://docs.splunk.com/Documentation/StreamApp/7.2.0/ReleaseNotes/Knownissues

You can try the following command:

./streamfwd -r pcap_file_path

Re: Splunk Stream App - Ingest Pcap issue

psychogyiokosta — Fri, 10 Jan 2020 13:28:27 GMT

I believe this issue is related to mine:

https://answers.splunk.com/answers/665596/splunk-stream-app-uploading-a-large-pcap-file-fail.html

Looks like when uploading a large pcap with the UI option, it fails. I need to try with CLI commands as you suggest. I will update as soon as i can. Thanks