All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can the Splunk App for Stream extract payload data?

hakansel05
New Member
‎09-09-2015 11:30 PM

Hi all,

Can the Splunk App for Stream save and/or extract the payload data? If yes, how can I enable this for stream?

Thanks in advance.

0 Karma
Reply

vshcherbakov_sp
Splunk Employee
Splunk Employee
‎09-10-2015 08:32 AM

Hello,

Stream supports the generic src_content/dest_content fields that represent the "payload" data for certain protocols such as HTTP or TCP. You can also extract specific parts of these fields (or any other textual fields for that matter) with a regular expression using so called "content extraction" feature of Stream. Here's the documentation link for more details: http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/ConfigureStreams#Use_Content_Ex...

0 Karma
Reply

hakansel05
New Member
‎09-11-2015 12:14 AM

Thanks but, there are no fields as src_content/dest_content. Also I have analyzed at the raw stream data in event by event, there is no like that data. Is there any need to more configuration to get more detailed capturing wire data?

0 Karma
Reply

vshcherbakov_sp
Splunk Employee
Splunk Employee
‎09-11-2015 09:15 AM

src_content/dest_content fields are available only for HTTP and TCP/UDP protocols and not enabled by default - you'll need to go to the Streams Config page and enable them. Also, there's a default field size limit of 10K that you may want to change by setting the MaxFieldSize parameter (see http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/ConfigureStreamForwarder#Advanc... for more details)

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...