All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

When uploading pcap data to be ingested by splunk stream, where does that data go?

dan_ritter
Engager
‎01-15-2018 03:17 PM

I am trying to get Splunk Stream to ingest some pcap files. I cannot seem to find the data once I follow the instructions on the documentation(https://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/UseStreamtoparsePCAPfiles)

When I upload through the web UI, I do see the data in the splunk stream app inputs.conf, but I cannot see that data in the UI. If I upload through streamfwd (on the same machine splunk is installed on), it says it has finished, but I still see nothing. I DO have the modular input enabled, and I DO see events from the host itself.

Is there any obvious step I am missing?

0 Karma
Reply

micahkemp
Champion
‎02-04-2018 07:55 AM

Edit: I just tried uploading a pcap to stream, and unfortunately it seems to set source to whatever stream usually uses for the source, not the pcap filename.

The only solution I can think of for you is to select "More Settings" from the "Add Data" page and give your uploaded data a different host name (in the "host field value" line). This is less than idea, in my opinion, but at least setting it for a test should show you the data you just added.

Original answer:

Have you looked in the index the rest of the stream data goes into, and for all time? I'm assuming the pcap input for stream will use the timestamps from the pcap itself for the event times, so you may need to expand your search time.

You may try this search for all time to see if you can identify a source that looks to maybe be for your imported pcap:

| tstats count WHERE index=* sourcetype=stream* BY index source

And if one of those sources looks like it may be your uploaded data, search like this to see it:

index=<index from above search> sourcetype=<sourcetype from above source>
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...