Solved: Can I use the Splunk App for Stream to monitor or ...

melonman · ‎11-23-2015

Hi

I have many PCAP files that have been collected in multiple locations, and stored them under /data/pcap directory of my Splunk instance.
I want to batch read or monitor the specified directory to read all the PCAP files under the directory.

Can I do this using Stream App or any other method?

Thanks,

vshcherbakov_sp · ‎11-30-2015

Stream TA (streamfwd binary) can process pcap files using CLI - see http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/streamfwdcommandlineoptions . You can wrap this command line into a shell script that that iterates over all *.pcap files in a directory for batch processing.

View solution in original post

vshcherbakov_sp · ‎11-30-2015

Stream TA (streamfwd binary) can process pcap files using CLI - see http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/streamfwdcommandlineoptions . You can wrap this command line into a shell script that that iterates over all *.pcap files in a directory for batch processing.

melonman · ‎11-25-2015

FYI, I ended up with converting PCAP dump file into XML, and put the XML into batch (sinkhole) directory...

Can I use the Splunk App for Stream to monitor or batch read a specified directory to read many PCAP files?

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Splunk Life | Happy Pride Month!

SplunkTrust | Where Are They Now - Michael Uschmann