All Apps and Add-ons

Stream App: Configuring the streamfwd.xml

w0lverineNOP
Path Finder

Following the Documentation provided by splunk. I inserted the following in the streamfwd.xml file in $Splunk_Home/etc/apps/Splunk_TA_stream/local

*
/opt/splunk/pcaps/data.cap
true
tcp port 80
false
true
1000000
*
I do have "capture" in the xml script (will not let me add it in their)
But I am getting an error in the file:
Checking configuration...Error while parsing '/opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.xml*' :
junk after document element: Line 9 column 0 ; which is the line beginning with capture

Tags (2)
0 Karma
1 Solution

jsie_splunk
Splunk Employee
Splunk Employee

Hi w0lverineNOP,

You could try this snippet for your Capture section and see if that gets you up and running:

<Capture>
    <Interface>/opt/splunk/pcaps/data.cap</Interface>
    <Offline>true</Offline>
    <Filter>tcp port 80</Filter>
    <Repeat>false</Repeat>
    <SysTime>true</SysTime>
    <BitsPerSecond>1000000</BitsPerSecond>
</Capture>

Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:

$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd  -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000

(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)

Regards,
Jackson

View solution in original post

jsie_splunk
Splunk Employee
Splunk Employee

Hi w0lverineNOP,

You could try this snippet for your Capture section and see if that gets you up and running:

<Capture>
    <Interface>/opt/splunk/pcaps/data.cap</Interface>
    <Offline>true</Offline>
    <Filter>tcp port 80</Filter>
    <Repeat>false</Repeat>
    <SysTime>true</SysTime>
    <BitsPerSecond>1000000</BitsPerSecond>
</Capture>

Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:

$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd  -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000

(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)

Regards,
Jackson

Lindaiyu
Path Finder

Hello,
I tried the second way by command line and it can work, however the first way that change the xml file doesnt work and I dont know why, could you give me some help, thank you very much

0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

The only difference between the XML config and the command line above is the <Filter> and <SysTime> nodes. Try removing those and it should work the same. It could be that your pcap doesn't contain "tcp port 80" packets.

0 Karma

Lindaiyu
Path Finder

Yes, because I used a proxy and there is nothing in port 80 when I delete the <filter>, it works now and thank you very much

0 Karma

w0lverineNOP
Path Finder

Yes perfect! but which path do I need to be in to run streamfwd? It says:
Streamfwd command not found

I was in in my $Splunk_Home when I ran the command

0 Karma

jsie_splunk
Splunk Employee
Splunk Employee

Updated... 🙂

0 Karma

w0lverineNOP
Path Finder

Well that was well hidden. And I ran the command as directed in the ..../bin folder and I am still getting "streamfwd: command not found" error again.

streamfwd is in the directory. Splunk is running and I ran it as root. ...Give me a few minutes I am going to re-install the whole app again. (I might have fooled with something earlier)

0 Karma

w0lverineNOP
Path Finder

Okay. In the GUI. I get an error once I re-installed the stream app and enabled the streamfwd (had to restart again) it says the following:

Unable to intialize the modular input "streamfwd" defined inside the app "Splunk_TA_stream": Unable to locate suitable script for introspection

I went into the script section and I have 4 scripts (I have no other app installed) and both .py scripts are enabled. Any suggestions?

0 Karma

w0lverineNOP
Path Finder

./streamfwd is the answer ha

0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

That message is a generic XML parsing error. You might want to try opening the file in an XML editor to see what is wrong, or post the entire file here.

0 Karma

w0lverineNOP
Path Finder

I wish I could upload screen captures but I do not have enough points yet. But imagine the above script without the 5. and adding capture at the beginning and the end of the script.

0 Karma

w0lverineNOP
Path Finder

In the streamfwd.xml file do I need to delete the previous xml script in it before I add my capture script into the streamfwd.xml?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...