Getting Data In
Highlighted

Monitoring a wireshark file using Splunk

Communicator

How does the Splunk monitor a Wireshark capture file in its textual form in windows 7? I converted the wireshark pcap file to the txt file. Based on what i read from the Splunk answers forum : http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file , jerrad installed the Splunk Light Forwarder and have it monitor the textual file from the /tshark/splunk/gtp/ directory.

So that means i can set up a Splunk light forwarder using Splunk web right? I followed the instructions from the http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deployaforwarder which teaches how to set up the light heavy forwarders. The instruction states a heavy forwarder has to be set up before setting up a light forwarder, which im not sure of cos i clicked add new against the configure forwarding section, which i have entered the host and port no and saved the settings.

However, i'm quite new to Splunk and now im using Splunk 4.3. When i was about to go to the manager in the Splunk Web to set up the forwarder, the instruction in the forwarding and recieving section in manager states that CAUTION: This will immediately turn off Splunk Web if the light forwarder in the Splunk web. So i would like to know if the light forwarder is the one that monitors the converted wireshark captured file as txt file since Splunk 4.3 ?

I hope this would not be treated as a duplicate question.

Highlighted

Re: Monitoring a wireshark file using Splunk

SplunkTrust
SplunkTrust

Hi misteryuku

just setup everything as you want it on the heavy forwarder and if you get the data the way you want it, go into UI - Manager - Apps and enable the light forwarder. This will disable the web UI and some other features of splunk.

cheers

Highlighted

Re: Monitoring a wireshark file using Splunk

Communicator

Disabling the web UI and some other features of Splunk sounds like there would be disadvantages. I m quite skeptical. Cos my goal is to monitor the converted wireshark capture file in windows 7 txt file using Splunk.

0 Karma
Highlighted

Re: Monitoring a wireshark file using Splunk

SplunkTrust
SplunkTrust

enabling the light forwarder will only disable the web UI which is only used for config changes for example and data inputs to the light forwarder will not be parsed (probs.conf and transform.conf will not be processed on the light forwarder). you still will be able to monitor the directory 😉 but you reduce the system load and the footprints in the data caused by splunk

Highlighted

Re: Monitoring a wireshark file using Splunk

Communicator

When i clicked enable light forwarder, the splunk web prompted me to restart Splunk. and there was no restart splunk button and i have to go to the Splunk's CLI. So how do i restart splunk using the CLI?

0 Karma
Highlighted

Re: Monitoring a wireshark file using Splunk

SplunkTrust
SplunkTrust

change to SPLUNK_HOME (which is the directory where Splunk is installed) and execute as splunk user:
./bin/splunk restart (on *inx)
\bin\splunk.exe restart (on Windows)

Highlighted

Re: Monitoring a wireshark file using Splunk

Communicator

My PC is running the Windows 7 Platform. Is it done in the Windows 7 cmd line interface? calling cd?? I'm quite lost .....

0 Karma
Highlighted

Re: Monitoring a wireshark file using Splunk

SplunkTrust
SplunkTrust

hit win-r enter cmd enter cd %SPLUNK_HOME%\bin enter splunk.exe restart enter <done>

Highlighted

Re: Monitoring a wireshark file using Splunk

SplunkTrust
SplunkTrust

take any cmd (running or not) change dir (eq cd) into your splunk installation directory, change there into bin directory, enter there the following command \"splunk.exe restart\" without the quotes!

Highlighted

Re: Monitoring a wireshark file using Splunk

Communicator

cd %SPLUNK_HOME%bin resulted in path cannot be found,so i entered cd Splunk then cd bin then enter splunk.exe restart enter

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.