I am trying to run Stream against a few old pcaps. My set up includes the following:
Created a index that is pointing to an uploaded file of old pcaps had the Stream Forwarder pointed to the index
I have my host ip address added to the whitelist and is still being caught and indexed.
Any suggestions?
Per the doc, you can edit the streamfwd.xml file:
Example 4: Use pcap file instead of network interface
You can also use a previously generated pcap file instead of an actual network interface, using this variation of the element.
<Interface>/tmp/data.cap</Interface>
<Offline>true</Offline>
<Filter>tcp port 80</Filter>
<Repeat>true</Repeat>
<SysTime>true</SysTime>
<BitsPerSecond>10000000</BitsPerSecond>
http://docs.splunk.com/Documentation/StreamApp/6.1.1/DeployStreamApp/ConfigureStreamForwarder
Per the doc, you can edit the streamfwd.xml file:
Example 4: Use pcap file instead of network interface
You can also use a previously generated pcap file instead of an actual network interface, using this variation of the element.
<Interface>/tmp/data.cap</Interface>
<Offline>true</Offline>
<Filter>tcp port 80</Filter>
<Repeat>true</Repeat>
<SysTime>true</SysTime>
<BitsPerSecond>10000000</BitsPerSecond>
http://docs.splunk.com/Documentation/StreamApp/6.1.1/DeployStreamApp/ConfigureStreamForwarder
Thank you!!