Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Monitoring a wireshark file using Splunk

misteryuku
Communicator
‎04-16-2012 11:03 PM

How does the Splunk monitor a Wireshark capture file in its textual form in windows 7? I converted the wireshark pcap file to the txt file. Based on what i read from the Splunk answers forum : http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file , jerrad installed the Splunk Light Forwarder and have it monitor the textual file from the /tshark/splunk/gtp/ directory.

So that means i can set up a Splunk light forwarder using Splunk web right? I followed the instructions from the http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deployaforwarder which teaches how to set up the light heavy forwarders. The instruction states a heavy forwarder has to be set up before setting up a light forwarder, which im not sure of cos i clicked add new against the configure forwarding section, which i have entered the host and port no and saved the settings.

However, i'm quite new to Splunk and now im using Splunk 4.3. When i was about to go to the manager in the Splunk Web to set up the forwarder, the instruction in the forwarding and recieving section in manager states that CAUTION: This will immediately turn off Splunk Web if the light forwarder in the Splunk web. So i would like to know if the light forwarder is the one that monitors the converted wireshark captured file as txt file since Splunk 4.3 ?

I hope this would not be treated as a duplicate question.

Reply

MHibbin
Influencer
‎04-17-2012 01:01 AM

OK, I thought that was the situation. In that case you will not need a forwarder, so DON'T turn off the GUI!

If the wireshark file is simply stored as a rolling text file (i.e. more data is appended to file, and not stored in a new file). I would set the input up as a "file monitor". The best option would be to go your manager from Splunk add another input (for example: Splunk >> Manager >> Data Inputs >> Files & directories >> New) and then follow the use the use the "Preview data before indexing" option to browse for your file and make sure all events appear as they are supposed to...

0 Karma
Reply

misteryuku
Communicator
‎04-17-2012 12:50 AM

Since if the wireshark file is on the same machine as Splunk, What is the way to monitor the wireshark file in txt file format instead of using forwarders?

0 Karma
Reply

misteryuku
Communicator
‎04-17-2012 12:49 AM

It is a single installation running on one PC. eg my laptop. My aim is to monintoring a converted wireshark file as a txt file using splunk. My wireshark file is found locally on my PC and the Splunk is also found in the same local PC as well. My PC is running Windows 7

0 Karma
Reply

MuS
Legend
‎04-16-2012 11:08 PM

Hi misteryuku

just setup everything as you want it on the heavy forwarder and if you get the data the way you want it, go into UI - Manager - Apps and enable the light forwarder. This will disable the web UI and some other features of splunk.

cheers

Reply

misteryuku
Communicator
‎04-17-2012 12:07 AM

cd %SPLUNK_HOME%bin resulted in path cannot be found,so i entered cd Splunk then cd bin then enter splunk.exe restart enter

0 Karma
Reply

MuS
Legend
‎04-17-2012 12:03 AM

take any cmd (running or not) change dir (eq cd) into your splunk installation directory, change there into bin directory, enter there the following command \"splunk.exe restart\" without the quotes!

Reply

MuS
Legend
‎04-16-2012 11:51 PM

hit win-r enter cmd enter cd %SPLUNK_HOME%\bin enter splunk.exe restart enter <done>

Reply

misteryuku
Communicator
‎04-16-2012 11:38 PM

My PC is running the Windows 7 Platform. Is it done in the Windows 7 cmd line interface? calling cd?? I'm quite lost .....

0 Karma
Reply

MuS
Legend
‎04-16-2012 11:29 PM

change to SPLUNK_HOME (which is the directory where Splunk is installed) and execute as splunk user:
./bin/splunk restart (on *inx)
\bin\splunk.exe restart (on Windows)

Reply

misteryuku
Communicator
‎04-16-2012 11:27 PM

When i clicked enable light forwarder, the splunk web prompted me to restart Splunk. and there was no restart splunk button and i have to go to the Splunk's CLI. So how do i restart splunk using the CLI?

0 Karma
Reply

MuS
Legend
‎04-16-2012 11:20 PM

enabling the light forwarder will only disable the web UI which is only used for config changes for example and data inputs to the light forwarder will not be parsed (probs.conf and transform.conf will not be processed on the light forwarder). you still will be able to monitor the directory 😉 but you reduce the system load and the footprints in the data caused by splunk

Reply

misteryuku
Communicator
‎04-16-2012 11:16 PM

Disabling the web UI and some other features of Splunk sounds like there would be disadvantages. I m quite skeptical. Cos my goal is to monitor the converted wireshark capture file in windows 7 txt file using Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...