All Apps and Add-ons

Stream App: Configuring the streamfwd.xml

w0lverineNOP
Path Finder

Following the Documentation provided by splunk. I inserted the following in the streamfwd.xml file in $Splunk_Home/etc/apps/Splunk_TA_stream/local

*
/opt/splunk/pcaps/data.cap
true
tcp port 80
false
true
1000000
*
I do have "capture" in the xml script (will not let me add it in their)
But I am getting an error in the file:
Checking configuration...Error while parsing '/opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.xml*' :
junk after document element: Line 9 column 0 ; which is the line beginning with capture

Tags (2)
0 Karma
1 Solution

jsie_splunk
Splunk Employee
Splunk Employee

Hi w0lverineNOP,

You could try this snippet for your Capture section and see if that gets you up and running:

<Capture>
    <Interface>/opt/splunk/pcaps/data.cap</Interface>
    <Offline>true</Offline>
    <Filter>tcp port 80</Filter>
    <Repeat>false</Repeat>
    <SysTime>true</SysTime>
    <BitsPerSecond>1000000</BitsPerSecond>
</Capture>

Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:

$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd  -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000

(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)

Regards,
Jackson

View solution in original post

jsie_splunk
Splunk Employee
Splunk Employee

Hi w0lverineNOP,

You could try this snippet for your Capture section and see if that gets you up and running:

<Capture>
    <Interface>/opt/splunk/pcaps/data.cap</Interface>
    <Offline>true</Offline>
    <Filter>tcp port 80</Filter>
    <Repeat>false</Repeat>
    <SysTime>true</SysTime>
    <BitsPerSecond>1000000</BitsPerSecond>
</Capture>

Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:

$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd  -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000

(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)

Regards,
Jackson

Lindaiyu
Path Finder

Hello,
I tried the second way by command line and it can work, however the first way that change the xml file doesnt work and I dont know why, could you give me some help, thank you very much

0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

The only difference between the XML config and the command line above is the <Filter> and <SysTime> nodes. Try removing those and it should work the same. It could be that your pcap doesn't contain "tcp port 80" packets.

0 Karma

Lindaiyu
Path Finder

Yes, because I used a proxy and there is nothing in port 80 when I delete the <filter>, it works now and thank you very much

0 Karma

w0lverineNOP
Path Finder

Yes perfect! but which path do I need to be in to run streamfwd? It says:
Streamfwd command not found

I was in in my $Splunk_Home when I ran the command

0 Karma

jsie_splunk
Splunk Employee
Splunk Employee

Updated... 🙂

0 Karma

w0lverineNOP
Path Finder

Well that was well hidden. And I ran the command as directed in the ..../bin folder and I am still getting "streamfwd: command not found" error again.

streamfwd is in the directory. Splunk is running and I ran it as root. ...Give me a few minutes I am going to re-install the whole app again. (I might have fooled with something earlier)

0 Karma

w0lverineNOP
Path Finder

Okay. In the GUI. I get an error once I re-installed the stream app and enabled the streamfwd (had to restart again) it says the following:

Unable to intialize the modular input "streamfwd" defined inside the app "Splunk_TA_stream": Unable to locate suitable script for introspection

I went into the script section and I have 4 scripts (I have no other app installed) and both .py scripts are enabled. Any suggestions?

0 Karma

w0lverineNOP
Path Finder

./streamfwd is the answer ha

0 Karma

mdickey_splunk
Splunk Employee
Splunk Employee

That message is a generic XML parsing error. You might want to try opening the file in an XML editor to see what is wrong, or post the entire file here.

0 Karma

w0lverineNOP
Path Finder

I wish I could upload screen captures but I do not have enough points yet. But imagine the above script without the 5. and adding capture at the beginning and the end of the script.

0 Karma

w0lverineNOP
Path Finder

In the streamfwd.xml file do I need to delete the previous xml script in it before I add my capture script into the streamfwd.xml?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...