Solved: Can the traffic be collapsed via Packet Broker or ...

umplebyj · ‎08-07-2018

Hey, I have a question regarding splunk streams getting data feeds from a network tap. Can the traffic be collapsed via Packet Broker or some other technology to feed both directions into a single port? I'm pretty sure it can be since it's just listening to traffic coming in period and capturing data from it, but want to make sure I don't have to separate out directions going each way.

vshcherbakov_sp · ‎08-07-2018

hi @umplebyj,

I believe it is possible if your hardware (Packet Broker, monitoring switch, etc) supports this. The obvious caveat is that you'd still be using only ingress (Rx) bandwidth on your capture port, so you will need to make sure you're not overloading it with the merged traffic.

Stream can also monitor two separate ports (one for ingress and the other for egress part of the traffic) as a part of a single monitoring setup. I'd recommend this approach unless you have specific reasons against it.

HTH

View solution in original post

vshcherbakov_sp · ‎08-07-2018

hi @umplebyj,

I believe it is possible if your hardware (Packet Broker, monitoring switch, etc) supports this. The obvious caveat is that you'd still be using only ingress (Rx) bandwidth on your capture port, so you will need to make sure you're not overloading it with the merged traffic.

Stream can also monitor two separate ports (one for ingress and the other for egress part of the traffic) as a part of a single monitoring setup. I'd recommend this approach unless you have specific reasons against it.

HTH

Can the traffic be collapsed via Packet Broker or some other technology to feed both directions into a single port in Splunk Streams?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!