Solved: Re: Stream App: Configuring the streamfwd.xml

w0lverineNOP · ‎03-12-2015

Following the Documentation provided by splunk. I inserted the following in the streamfwd.xml file in $Splunk_Home/etc/apps/Splunk_TA_stream/local

*
/opt/splunk/pcaps/data.cap
true
tcp port 80
false
true
1000000
*
I do have "capture" in the xml script (will not let me add it in their)
But I am getting an error in the file:
Checking configuration...Error while parsing '/opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.xml*' :
junk after document element: Line 9 column 0 ; which is the line beginning with capture

jsie_splunk · ‎03-13-2015

Hi w0lverineNOP,

You could try this snippet for your Capture section and see if that gets you up and running:

<Capture>
    <Interface>/opt/splunk/pcaps/data.cap</Interface>
    <Offline>true</Offline>
    <Filter>tcp port 80</Filter>
    <Repeat>false</Repeat>
    <SysTime>true</SysTime>
    <BitsPerSecond>1000000</BitsPerSecond>
</Capture>

Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:

$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd  -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000

(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)

Regards,
Jackson

View solution in original post

jsie_splunk · ‎03-13-2015

Hi w0lverineNOP,

You could try this snippet for your Capture section and see if that gets you up and running:

<Capture>
    <Interface>/opt/splunk/pcaps/data.cap</Interface>
    <Offline>true</Offline>
    <Filter>tcp port 80</Filter>
    <Repeat>false</Repeat>
    <SysTime>true</SysTime>
    <BitsPerSecond>1000000</BitsPerSecond>
</Capture>

Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:

$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd  -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000

(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)

Regards,
Jackson

Lindaiyu · ‎05-29-2015

Hello,
I tried the second way by command line and it can work, however the first way that change the xml file doesnt work and I dont know why, could you give me some help, thank you very much

mdickey_splunk · ‎05-29-2015

The only difference between the XML config and the command line above is the <Filter> and <SysTime> nodes. Try removing those and it should work the same. It could be that your pcap doesn't contain "tcp port 80" packets.

Lindaiyu · ‎06-01-2015

Yes, because I used a proxy and there is nothing in port 80 when I delete the <filter>, it works now and thank you very much

w0lverineNOP · ‎03-13-2015

Yes perfect! but which path do I need to be in to run streamfwd? It says:
Streamfwd command not found

I was in in my $Splunk_Home when I ran the command

jsie_splunk · ‎03-13-2015

Updated... 🙂

w0lverineNOP · ‎03-13-2015

Well that was well hidden. And I ran the command as directed in the ..../bin folder and I am still getting "streamfwd: command not found" error again.

streamfwd is in the directory. Splunk is running and I ran it as root. ...Give me a few minutes I am going to re-install the whole app again. (I might have fooled with something earlier)

w0lverineNOP · ‎03-13-2015

Okay. In the GUI. I get an error once I re-installed the stream app and enabled the streamfwd (had to restart again) it says the following:

Unable to intialize the modular input "streamfwd" defined inside the app "Splunk_TA_stream": Unable to locate suitable script for introspection

I went into the script section and I have 4 scripts (I have no other app installed) and both .py scripts are enabled. Any suggestions?

w0lverineNOP · ‎03-13-2015

./streamfwd is the answer ha

mdickey_splunk · ‎03-12-2015

That message is a generic XML parsing error. You might want to try opening the file in an XML editor to see what is wrong, or post the entire file here.

w0lverineNOP · ‎03-12-2015

I wish I could upload screen captures but I do not have enough points yet. But imagine the above script without the 5. and adding capture at the beginning and the end of the script.

w0lverineNOP · ‎03-12-2015

In the streamfwd.xml file do I need to delete the previous xml script in it before I add my capture script into the streamfwd.xml?

Stream App: Configuring the streamfwd.xml

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Join the Conversation