All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How Do I Edit the inputs.conf File to a PCAP Added as a Data Input?

genesiusj
Builder
‎07-06-2018 11:21 AM

Hello,
I have a single instance of Splunk 7.1 (free) and I installed the Splunk Stream app. I added a previously captured pcap file as a Data Input, following all of the instructions. I have done this several times because I do not see the pcap data when I perform a search. I deleted the pcap as an input one last time, and created a new index, which I used when I created a final Data Input. Although I am searching on Index="pcap_test", the name of the index I created, and am searching for All Time, I have 0 events returned.

Reading this Splunk Answers post,
https://answers.splunk.com/answers/547556/problem-ingesting-pcap-file-with-stream-modular-in.html,
I learned the inputs.conf file needs to be edited. However, I don't know what information it needs. The above post did not give details.

Thanks for your help and God bless,
Genesius

0 Karma
Reply

genesiusj
Builder
‎07-11-2018 12:30 PM

Thanks @pwilson33 for the response.
There is no administrator. I'm it.

I have a single instance of Splunk 7.1 (free) and I installed the Splunk Stream app.
I'll have a look at the inputs.conf file, of which I have 19.
Correction 20. The last one is inputs.conf.example.
Performing a search for "PCAP" or "stream" on this file returns 0 results.

Manually checking the file I could not find anything remotely related to PCAP or stream.
But, I am newbie.

Thanks and God bless,
Genesius

0 Karma
Reply

pwilson33
New Member
‎07-11-2018 07:21 AM

If you don't configure the inputs.conf file, you won't get data. The linked page to inputs.conf should give you what you need, since it explains the preference order of the different files. The files are pretty heavily commented and explain what the different stanzas do, so which section are you having trouble understanding? If you're confused about the setup, your network administrator should be able to assist you, since those sections are related to the actual installation. If they're not known, you probably wouldn't have been able to install at all.,If you haven't configured your installation yet, you're not going to be getting the data. Is there a part of the inputs.conf file that you're having problems with? It's very heavily commented with detailed explanations of what these things do. If you don't configure it, it obviously won't work. The information you put in it should be self-evident, since its things you fill in about your environment and installation. If you're having problems with those things, contact your administrator.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...