All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I get some fields from Splunk App for Stream capturing HTTPS?

las
Contributor
‎06-06-2017 07:28 AM

Hi.

I have deployed Splunk_TA_Stream to all the workstations, and was wondering if it is at all possible to get certain fields when the transport is HTTPS, logically I think it should be possible, as the only fields I'm interested in are as follows:

dest_ip:
dest_port:

endtime:
site:

status:

sum(bytes_in):

sum(bytes_out):

sum(time_taken):
timestamp:

uri_path:

The only one I can see might give some troubles are status, the rest is routing information or calculated fields, but I might be mistaken.

Any help is much appreciated.

Kind regards
Lars

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎06-06-2017 07:45 AM

Yep absolutely, here is an example of the tcp stream i configured in my lab capturing SSL traffic to apple

{   [-] 
     app:    apple  
     client_rtt:     5489   
     client_rtt_packets:     8  
     connection:     17.178.104.14:443  
     count:  1  
     data_packets_in:    8  
     data_packets_out:   6  
     dest_ip:    17.178.104.14  
     dest_mac:   xxxxxxxxxxx    
     dest_port:  443    
     endtime:    2017-06-06T14:16:13.119283Z    
     network_interface:  enp2s0f0   
     packets_in:     27 
     packets_out:    22 
     protocol_stack:     ip:tcp:ssl:apple   
     refused:    0  
     request_time:   0  
     response_time:  0  
     server_rtt:     83024  
     server_rtt_packets:     6  
     src_ip:     10.10.242.2    
     src_mac:    xxxxxxxxxxxxxxxx   
     src_port:   27090  
     sum(bytes):     12102  
     time_taken:     31431955   
     timestamp:  2017-06-06T14:16:13.119283Z    
}
- MattyMo
0 Karma
Reply

las
Contributor
‎06-09-2017 01:05 AM

Hi.

Thanks for the info.
Your example is on the TCP protocol, and I'm unsure if it is possible to match a HTTP request/response to the count and time_taken in the TCP protocol, or there might take multiple TCP requests.

My ultimate goal is to capture the user experience as closely as possible, thats why I have deployed the UF on workstations, where the user are working. If at all possible I would rather have a log from the browser, that told me how log it took to build the page - but I haven't found that yet. I can directly use the HTTP stream when SSL is not employed.

Kind regards
Lars

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎06-09-2017 04:53 AM

Do you own/operate the server that you are trying to monitor the experience of?

Have you looked at boomerang.js or some of the browser plugins that report on web performance?

- MattyMo
0 Karma
Reply

las
Contributor
‎06-09-2017 05:10 AM

Hi mmodestino.

I do the monitoring on workstations, and do not have access to the servers.

Kind regards
Lars

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎06-09-2017 06:52 AM

ok, so couple things,

  1. I'll do some testing on being able to infer some semblance of experience from the https traffic...I believe despite the traffic being encrypted I still may be able see what i might need to get an idea of an issue based on deviation from "normal"..obviously at less granularity. You cant report on uris and what not, but you can report on general accessibility. https://docs.splunk.com/Documentation/StreamApp/7.1.0/User/StreamFieldDetails#Latency_information

  2. Depending on the config of the web server, there is an option for SSL decryption of RSA keys:
    https://docs.splunk.com/Documentation/StreamApp/7.1.0/DeployStreamApp/EnableSSLforStreamForwarder

  3. There are web browser plugins that can do client side web performance tracking. What browser do your users use?

- MattyMo
0 Karma
Reply

las
Contributor
‎06-09-2017 03:20 PM

Hi mmodestino.

Our primary browsers are IE 11, I have tried looking for plugins, but have so far been unsuccessful, so any hint in that direction would be great.

Kind regards

Lars

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎06-09-2017 03:25 PM

yuck, IE.

Anyways i played with capturing the tcp traffic hitting my splunk server which is ssl, and i still get rtt and timetaken, so you may be a le to get at least some indication of an issue if respinses to the tcp ssl spiked...have to keep digging to see if this would be worth trying...

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...