All Apps and Add-ons

Stream App: Configuring the streamfwd.xml

w0lverineNOP
Path Finder

Following the Documentation provided by splunk. I inserted the following in the streamfwd.xml file in $Splunk_Home/etc/apps/Splunk_TA_stream/local

*
/opt/splunk/pcaps/data.cap
true
tcp port 80
false
true
1000000
*
I do have "capture" in the xml script (will not let me add it in their)
But I am getting an error in the file:
Checking configuration...Error while parsing '/opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.xml*' :
junk after document element: Line 9 column 0 ; which is the line beginning with capture

Tags (2)
0 Karma
1 Solution

jsie_splunk
Splunk Employee
Splunk Employee

Hi w0lverineNOP,

You could try this snippet for your Capture section and see if that gets you up and running:

<Capture>
    <Interface>/opt/splunk/pcaps/data.cap</Interface>
    <Offline>true</Offline>
    <Filter>tcp port 80</Filter>
    <Repeat>false</Repeat>
    <SysTime>true</SysTime>
    <BitsPerSecond>1000000</BitsPerSecond>
</Capture>

Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:

$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd  -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000

(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)

Regards,
Jackson

View solution in original post

jsie_splunk
Splunk Employee
Splunk Employee

Hi w0lverineNOP,

You could try this snippet for your Capture section and see if that gets you up and running:

<Capture>
    <Interface>/opt/splunk/pcaps/data.cap</Interface>
    <Offline>true</Offline>
    <Filter>tcp port 80</Filter>
    <Repeat>false</Repeat>
    <SysTime>true</SysTime>
    <BitsPerSecond>1000000</BitsPerSecond>
</Capture>

Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:

$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd  -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000

(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)

Regards,
Jackson

View solution in original post

Lindaiyu
Path Finder

Hello,
I tried the second way by command line and it can work, however the first way that change the xml file doesnt work and I dont know why, could you give me some help, thank you very much

0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

The only difference between the XML config and the command line above is the <Filter> and <SysTime> nodes. Try removing those and it should work the same. It could be that your pcap doesn't contain "tcp port 80" packets.

0 Karma

Lindaiyu
Path Finder

Yes, because I used a proxy and there is nothing in port 80 when I delete the <filter>, it works now and thank you very much

0 Karma

w0lverineNOP
Path Finder

Yes perfect! but which path do I need to be in to run streamfwd? It says:
Streamfwd command not found

I was in in my $Splunk_Home when I ran the command

0 Karma

jsie_splunk
Splunk Employee
Splunk Employee

Updated... 🙂

0 Karma

w0lverineNOP
Path Finder

Well that was well hidden. And I ran the command as directed in the ..../bin folder and I am still getting "streamfwd: command not found" error again.

streamfwd is in the directory. Splunk is running and I ran it as root. ...Give me a few minutes I am going to re-install the whole app again. (I might have fooled with something earlier)

0 Karma

w0lverineNOP
Path Finder

Okay. In the GUI. I get an error once I re-installed the stream app and enabled the streamfwd (had to restart again) it says the following:

Unable to intialize the modular input "streamfwd" defined inside the app "Splunk_TA_stream": Unable to locate suitable script for introspection

I went into the script section and I have 4 scripts (I have no other app installed) and both .py scripts are enabled. Any suggestions?

0 Karma

w0lverineNOP
Path Finder

./streamfwd is the answer ha

0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

That message is a generic XML parsing error. You might want to try opening the file in an XML editor to see what is wrong, or post the entire file here.

0 Karma

w0lverineNOP
Path Finder

I wish I could upload screen captures but I do not have enough points yet. But imagine the above script without the 5. and adding capture at the beginning and the end of the script.

0 Karma

w0lverineNOP
Path Finder

In the streamfwd.xml file do I need to delete the previous xml script in it before I add my capture script into the streamfwd.xml?

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!