All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can the Splunk App for Stream extract payload data?

hakansel05
New Member
‎09-09-2015 11:30 PM

Hi all,

Can the Splunk App for Stream save and/or extract the payload data? If yes, how can I enable this for stream?

Thanks in advance.

0 Karma
Reply

vshcherbakov_sp
Splunk Employee
Splunk Employee
‎09-10-2015 08:32 AM

Hello,

Stream supports the generic src_content/dest_content fields that represent the "payload" data for certain protocols such as HTTP or TCP. You can also extract specific parts of these fields (or any other textual fields for that matter) with a regular expression using so called "content extraction" feature of Stream. Here's the documentation link for more details: http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/ConfigureStreams#Use_Content_Ex...

0 Karma
Reply

hakansel05
New Member
‎09-11-2015 12:14 AM

Thanks but, there are no fields as src_content/dest_content. Also I have analyzed at the raw stream data in event by event, there is no like that data. Is there any need to more configuration to get more detailed capturing wire data?

0 Karma
Reply

vshcherbakov_sp
Splunk Employee
Splunk Employee
‎09-11-2015 09:15 AM

src_content/dest_content fields are available only for HTTP and TCP/UDP protocols and not enabled by default - you'll need to go to the Streams Config page and enable them. Also, there's a default field size limit of 10K that you may want to change by setting the MaxFieldSize parameter (see http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/ConfigureStreamForwarder#Advanc... for more details)

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...