Starting looking at Stream and have a good amount of tcp/udp flow events in which app is "unknown". How can I view the packets payload in Splunk in order to parse out data/create custom streams? I have enabled src_content but this doesn't show the payload for "unknown" events.
Thanks in advance.
Do you mean the src_content field is not present for flows that could not be classified (app is "unknown")? If so, it's probably because Stream didn't capture any payload packets since the src_content data is captured independently from flow classification. I'd suggest checking the packet count fields to see if these flows have anything substantial. Enabling the dest_content field may also be of value.
Correct, the src_content and dest_content fields are only populated in just under 5% of our events (this is combined after enabling src_content & dest_content for both TCP & UDP).
What are the packet count fields, packets_in & packets_out?
Is there something else I need to do to view the packet payload within Splunk or will I need to generate some pcaps to start creating parsers for our custom apps?
Yes, I'd start with checking packets_in and packets_out fields. There are also data_packets_in and data_packets_out fields indicating the number of TCP payload packets. I'd also suggest upgrading App for Stream to v 6.3 as it contains improvements in the flow classification logic.