All Apps and Add-ons

Get attributes with NIC and VLAN IDs?

rolf_sommerhald
Explorer

Is there any possibility to receive attributes on which network interface and/or VLAN ID streamfwd has received a packet?

Can the reactor be customized so that it provides these and additional attributes, notably additional fields after dissecting DNS flows?

If not, can you please consider this as a feature request?
(How shall we submit submit feature requests best, not being (yet) customers with a maintenance contract?)

0 Karma

mathiask
Communicator

Sounds awesome

I think it would be good to have
- receiving interface name
- receiving port
In many cases the port might be already enough, but we have to go through a virtual interface so

The previously mentioned VLAN tags is rather something for the flow layer...
It might help if you process traffic from one network domain, but if the processed traffic originates from different networks with their own VLAN tag allocation... out of luck 🙂

0 Karma

csharp_splunk
Splunk Employee
Splunk Employee

Sadly we haven't done this yet. I'm looking into getting this in the next release.

mathiask
Communicator

Hi Splunkers

Any Update on this front?

Use Case
Im forwarding Traffic from different sources to the stream processing instance.
But I would like to later be able to distinguish the traffic from the different sources.
Solution 1 : Create for each source a separate processing instance ...
Solution 2 : Install multiple ufwd on the instance using different identifiers
Solution 3 : Process all the traffic on the same instance, but have it tagged by receiving interface name on the streamfwd.

Solution 3 would be the best.
Solution 2 might work ...

Greetings

0 Karma

csharp_splunk
Splunk Employee
Splunk Employee

Perfectly fine place to request features! Clayton has put this in the backlog for you, and we'll look into doing this in the next release. It's not much work, so we'll likely be able to deliver.

What additional data are you looking for from DNS?

0 Karma

cching_splunk
Splunk Employee
Splunk Employee

This is not possible at this time and something we will have to do further investigation.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...