All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to forward pcap files from a Linux universal forwarder to Splunk on a Windows machine with the PCAP Analyzer for Splunk app?

billcyz
Engager
‎08-02-2015 10:43 PM

I have Snort IDS running on aLinux machine, and I have some pcap files from Snort. I have installed a Universal Forwarder on Linux, and I want to forward the pcap files to Splunk which is on a Windows machine. I also downloaded the Splunk application for PCAP which is called Splunk PCAP Analyzer, but I don't know how to forward pcap files to the application on Splunk.

Can anyone help me with that? Any help would be great.

Thank You

0 Karma
Reply

woodcock
Esteemed Legend
‎08-03-2015 06:14 AM

Wherever the pcap files end up, you need to install a Splunk forwarder there. Then you need to create an inputs.conf stanza to monitor for the incoming pcap files. Assuming all the files will appear in the same directory, it is very easy and you can read about it here:

http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Monitorfilesanddirectories
http://docs.splunk.com/Documentation/Splunk/6.2.4/Data/Editinputs.conf

Reply

billcyz
Engager
‎08-03-2015 06:46 AM

I have insatlled Universal Forwarder on my Linux machine, but I am confused about the source type. On the other hand, I also want to use Splunk PCAP Analyzer, however not so many resources available. Could you please give me some advice?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-03-2015 07:06 AM

Look inside the files that the app installs and see what sourcetype it expects/uses. Then use that same name for your sourcetype. I have not used that app but it should have a README file that will get you started.

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...