How does the Splunk monitor a Wireshark capture file in its textual form in windows 7? I converted the wireshark pcap file to the txt file. Based on what i read from the Splunk answers forum : http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file , jerrad installed the Splunk Light Forwarder and have it monitor the textual file from the /tshark/splunk/gtp/ directory.
So that means i can set up a Splunk light forwarder using Splunk web right? I followed the instructions from the http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deployaforwarder which teaches how to set up the light heavy forwarders. The instruction states a heavy forwarder has to be set up before setting up a light forwarder, which im not sure of cos i clicked add new against the configure forwarding section, which i have entered the host and port no and saved the settings.
However, i'm quite new to Splunk and now im using Splunk 4.3. When i was about to go to the manager in the Splunk Web to set up the forwarder, the instruction in the forwarding and recieving section in manager states that CAUTION: This will immediately turn off Splunk Web if the light forwarder in the Splunk web. So i would like to know if the light forwarder is the one that monitors the converted wireshark captured file as txt file since Splunk 4.3 ?
I hope this would not be treated as a duplicate question.
OK, I thought that was the situation. In that case you will not need a forwarder, so DON'T turn off the GUI!
If the wireshark file is simply stored as a rolling text file (i.e. more data is appended to file, and not stored in a new file). I would set the input up as a "file monitor". The best option would be to go your manager from Splunk add another input (for example: Splunk >> Manager >> Data Inputs >> Files & directories >> New) and then follow the use the use the "Preview data before indexing" option to browse for your file and make sure all events appear as they are supposed to...
It is a single installation running on one PC. eg my laptop. My aim is to monintoring a converted wireshark file as a txt file using splunk. My wireshark file is found locally on my PC and the Splunk is also found in the same local PC as well. My PC is running Windows 7
just setup everything as you want it on the heavy forwarder and if you get the data the way you want it, go into UI - Manager - Apps and enable the light forwarder. This will disable the web UI and some other features of splunk.
take any cmd (running or not) change dir (eq cd) into your splunk installation directory, change there into bin directory, enter there the following command \"splunk.exe restart\" without the quotes!
When i clicked enable light forwarder, the splunk web prompted me to restart Splunk. and there was no restart splunk button and i have to go to the Splunk's CLI. So how do i restart splunk using the CLI?
enabling the light forwarder will only disable the web UI which is only used for config changes for example and data inputs to the light forwarder will not be parsed (probs.conf and transform.conf will not be processed on the light forwarder). you still will be able to monitor the directory 😉 but you reduce the system load and the footprints in the data caused by splunk
Disabling the web UI and some other features of Splunk sounds like there would be disadvantages. I m quite skeptical. Cos my goal is to monitor the converted wireshark capture file in windows 7 txt file using Splunk.