All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to configure a 2nd network interface for Splunk App for Stream?

BG3000
New Member
‎03-01-2016 10:10 AM

My Splunk server has two gigabit NICs (eth0 and eth1), both on the same subnet.

eth0 and its assigned IP address is where the main Splunk interface is accessed by other hosts on the subnet (both to access the interface via a web browser, and also to forward log data via syslog or forwarders).

I have connected a SPAN port on my switch to eth1 on my Splunk server. This SPAN port is a mirror of the switch port used by 'Server A' (which is also running the Splunk Universal Forwarder).

I've got the Splunk App for Stream installed and running, but cannot work out how get it to 'listen' on traffic arriving on eth1. In other words, I just want the the Stream app to collect network traffic pertaining to 'Server A' and nothing else. But at present, it seems to be collecting traffic related to the Splunk server itself, which suggests the Stream app is simply 'listening' on eth0.

Please can someone tell me how to configure multiple NICs within Splunk, and also if this is the correct approach to get the Stream App to collect Cisco SPAN port traffic?

Thanks.

0 Karma
Reply

vshcherbakov_sp
Splunk Employee
Splunk Employee
‎03-01-2016 01:42 PM

Do you have any explicit network interface configuration set up? You can tell Splunk_TA_stream (the network capture part of Stream) to listen to a specific interface via streamfwd.xml config file - http://docs.splunk.com/Documentation/StreamApp/6.4.2/DeployStreamApp/ConfigureStreamForwarder#Use_Ca...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...