- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How Do I Edit the inputs.conf File to a PCAP Added...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How Do I Edit the inputs.conf File to a PCAP Added as a Data Input?
Hello,
I have a single instance of Splunk 7.1 (free) and I installed the Splunk Stream app. I added a previously captured pcap file as a Data Input, following all of the instructions. I have done this several times because I do not see the pcap data when I perform a search. I deleted the pcap as an input one last time, and created a new index, which I used when I created a final Data Input. Although I am searching on Index="pcap_test", the name of the index I created, and am searching for All Time, I have 0 events returned.
Reading this Splunk Answers post,
https://answers.splunk.com/answers/547556/problem-ingesting-pcap-file-with-stream-modular-in.html,
I learned the inputs.conf file needs to be edited. However, I don't know what information it needs. The above post did not give details.
Thanks for your help and God bless,
Genesius
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @pwilson33 for the response.
There is no administrator. I'm it.
I have a single instance of Splunk 7.1 (free) and I installed the Splunk Stream app.
I'll have a look at the inputs.conf file, of which I have 19.
Correction 20. The last one is inputs.conf.example.
Performing a search for "PCAP" or "stream" on this file returns 0 results.
Manually checking the file I could not find anything remotely related to PCAP or stream.
But, I am newbie.
Thanks and God bless,
Genesius
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you don't configure the inputs.conf file, you won't get data. The linked page to inputs.conf should give you what you need, since it explains the preference order of the different files. The files are pretty heavily commented and explain what the different stanzas do, so which section are you having trouble understanding? If you're confused about the setup, your network administrator should be able to assist you, since those sections are related to the actual installation. If they're not known, you probably wouldn't have been able to install at all.,If you haven't configured your installation yet, you're not going to be getting the data. Is there a part of the inputs.conf file that you're having problems with? It's very heavily commented with detailed explanations of what these things do. If you don't configure it, it obviously won't work. The information you put in it should be self-evident, since its things you fill in about your environment and installation. If you're having problems with those things, contact your administrator.
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
