- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Following the Documentation provided by splunk. I inserted the following in the streamfwd.xml file in $Splunk_Home/etc/apps/Splunk_TA_stream/local
*
*
I do have "capture" in the xml script (will not let me add it in their)
But I am getting an error in the file:
Checking configuration...Error while parsing '/opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.xml*' :
junk after document element: Line 9 column 0 ; which is the line beginning with capture
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi w0lverineNOP,
You could try this snippet for your Capture section and see if that gets you up and running:
<Capture>
<Interface>/opt/splunk/pcaps/data.cap</Interface>
<Offline>true</Offline>
<Filter>tcp port 80</Filter>
<Repeat>false</Repeat>
<SysTime>true</SysTime>
<BitsPerSecond>1000000</BitsPerSecond>
</Capture>
Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000
(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)
Regards,
Jackson
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi w0lverineNOP,
You could try this snippet for your Capture section and see if that gets you up and running:
<Capture>
<Interface>/opt/splunk/pcaps/data.cap</Interface>
<Offline>true</Offline>
<Filter>tcp port 80</Filter>
<Repeat>false</Repeat>
<SysTime>true</SysTime>
<BitsPerSecond>1000000</BitsPerSecond>
</Capture>
Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000
(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)
Regards,
Jackson
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I tried the second way by command line and it can work, however the first way that change the xml file doesnt work and I dont know why, could you give me some help, thank you very much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only difference between the XML config and the command line above is the <Filter> and <SysTime> nodes. Try removing those and it should work the same. It could be that your pcap doesn't contain "tcp port 80" packets.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, because I used a proxy and there is nothing in port 80 when I delete the <filter>, it works now and thank you very much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes perfect! but which path do I need to be in to run streamfwd? It says:
Streamfwd command not found
I was in in my $Splunk_Home when I ran the command
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated... 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well that was well hidden. And I ran the command as directed in the ..../bin folder and I am still getting "streamfwd: command not found" error again.
streamfwd is in the directory. Splunk is running and I ran it as root. ...Give me a few minutes I am going to re-install the whole app again. (I might have fooled with something earlier)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay. In the GUI. I get an error once I re-installed the stream app and enabled the streamfwd (had to restart again) it says the following:
Unable to intialize the modular input "streamfwd" defined inside the app "Splunk_TA_stream": Unable to locate suitable script for introspection
I went into the script section and I have 4 scripts (I have no other app installed) and both .py scripts are enabled. Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
./streamfwd is the answer ha
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That message is a generic XML parsing error. You might want to try opening the file in an XML editor to see what is wrong, or post the entire file here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wish I could upload screen captures but I do not have enough points yet. But imagine the above script without the 5. and adding capture at the beginning and the end of the script.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the streamfwd.xml file do I need to delete the previous xml script in it before I add my capture script into the streamfwd.xml?
