How to configure Stream App 7.12 on Splunk Ent 7.1.0 to see port with tap data running over it?


It seems as though they've made the newer version of Splunk Enterprise a little more difficult when it comes to Stream and Data inputs. I've done this in the past, but with the newer versions mentioned above, I cannot get Stream to 1. Verify using the set permissions script. 2. Create a new data input via wire data (loads of new fields that are making it impossible). 3. localhost doesn't seem to be working as a stream source anyway.

I can already see the data via tcpdump, (The port was set as promisc and no IPs etc) but Splunk doesn't seem to want to play or the latest update has made it rather difficult to add a wire data input. Anyone else had any joys/gripes in these versions?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!