I am trying to run Stream against pcap data. I am having trouble executing the streamfwd command. I am in $SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_86_64/bin
>>#streamfwd -r /data.cap
>>streamfwd: command not found
What do you think is causing this error? I have confirmed the following:
I ran the file command on streamfwd and the output is: setuid ELF 64 bit executable
The [streamfwd://streamfwd] stanza contains the correct location (URI) of your splunk_app_stream installation
setuid.sh is running as root
Any troubleshooting suggestions would be greatly appreciated. Another way of solving my problem of trying to index pcaps with stream is to run tcpreplay on a specific interface and have the streamfwd listening on the specific interface, this technique should work as well if all else fails correct?
It is the correct path. Though I tried that and still the same error. If it was a working directory error wouldn't streamfwd command be recognized and I would receive a directory path not found error?
Could it actually be the command itself?
No change. And I also tried chmod 755 streamfwd
I tried to move my data.cap into the ../bin directory with streamfwd. It disappeared. Also I tried to cat streamfwd doesn't even recognize streamfwd is their (though I see it in the directory)
The file permissions for bin is the following:
I am wondering could you run the streamfwd? I have reinstalled the app twice ... I might need to reinstall Splunk??