All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

View Packet Payload in Stream

kbecker
Communicator
‎06-26-2015 06:54 AM

Starting looking at Stream and have a good amount of tcp/udp flow events in which app is "unknown". How can I view the packets payload in Splunk in order to parse out data/create custom streams? I have enabled src_content but this doesn't show the payload for "unknown" events.

Thanks in advance.

Tags (1)
0 Karma
Reply

vshcherbakov_sp
Splunk Employee
Splunk Employee
‎06-26-2015 09:40 AM

Do you mean the src_content field is not present for flows that could not be classified (app is "unknown")? If so, it's probably because Stream didn't capture any payload packets since the src_content data is captured independently from flow classification. I'd suggest checking the packet count fields to see if these flows have anything substantial. Enabling the dest_content field may also be of value.

0 Karma
Reply

kbecker
Communicator
‎06-28-2015 02:41 PM

Correct, the src_content and dest_content fields are only populated in just under 5% of our events (this is combined after enabling src_content & dest_content for both TCP & UDP).

What are the packet count fields, packets_in & packets_out?

Is there something else I need to do to view the packet payload within Splunk or will I need to generate some pcaps to start creating parsers for our custom apps?

0 Karma
Reply

vshcherbakov_sp
Splunk Employee
Splunk Employee
‎07-06-2015 12:03 PM

Yes, I'd start with checking packets_in and packets_out fields. There are also data_packets_in and data_packets_out fields indicating the number of TCP payload packets. I'd also suggest upgrading App for Stream to v 6.3 as it contains improvements in the flow classification logic.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...