All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

When uploading pcap data to be ingested by splunk stream, where does that data go?

dan_ritter
Engager
‎01-15-2018 03:17 PM

I am trying to get Splunk Stream to ingest some pcap files. I cannot seem to find the data once I follow the instructions on the documentation(https://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/UseStreamtoparsePCAPfiles)

When I upload through the web UI, I do see the data in the splunk stream app inputs.conf, but I cannot see that data in the UI. If I upload through streamfwd (on the same machine splunk is installed on), it says it has finished, but I still see nothing. I DO have the modular input enabled, and I DO see events from the host itself.

Is there any obvious step I am missing?

0 Karma
Reply

micahkemp
Champion
‎02-04-2018 07:55 AM

Edit: I just tried uploading a pcap to stream, and unfortunately it seems to set source to whatever stream usually uses for the source, not the pcap filename.

The only solution I can think of for you is to select "More Settings" from the "Add Data" page and give your uploaded data a different host name (in the "host field value" line). This is less than idea, in my opinion, but at least setting it for a test should show you the data you just added.

Original answer:

Have you looked in the index the rest of the stream data goes into, and for all time? I'm assuming the pcap input for stream will use the timestamps from the pcap itself for the event times, so you may need to expand your search time.

You may try this search for all time to see if you can identify a source that looks to maybe be for your imported pcap:

| tstats count WHERE index=* sourcetype=stream* BY index source

And if one of those sources looks like it may be your uploaded data, search like this to see it:

index=<index from above search> sourcetype=<sourcetype from above source>
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...