How does the Splunk monitor a Wireshark capture file in its textual form in windows 7? I converted the wireshark pcap file to the txt file. Based on what i read from the Splunk answers forum : http://splunk-base.splunk.com/answers/2922/splunk-monitoring-a-wireshark-file , jerrad installed the Splunk Light Forwarder and have it monitor the textual file from the /tshark/splunk/gtp/ directory.
So that means i can set up a Splunk light forwarder using Splunk web right? I followed the instructions from the http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Deployaforwarder which teaches how to set up the light heavy forwarders. The instruction states a heavy forwarder has to be set up before setting up a light forwarder, which im not sure of cos i clicked add new against the configure forwarding section, which i have entered the host and port no and saved the settings.
However, i'm quite new to Splunk and now im using Splunk 4.3. When i was about to go to the manager in the Splunk Web to set up the forwarder, the instruction in the forwarding and recieving section in manager states that CAUTION: This will immediately turn off Splunk Web if the light forwarder in the Splunk web. So i would like to know if the light forwarder is the one that monitors the converted wireshark captured file as txt file since Splunk 4.3 ?
I hope this would not be treated as a duplicate question.
just setup everything as you want it on the heavy forwarder and if you get the data the way you want it, go into UI - Manager - Apps and enable the light forwarder. This will disable the web UI and some other features of splunk.
Disabling the web UI and some other features of Splunk sounds like there would be disadvantages. I m quite skeptical. Cos my goal is to monitor the converted wireshark capture file in windows 7 txt file using Splunk.
enabling the light forwarder will only disable the web UI which is only used for config changes for example and data inputs to the light forwarder will not be parsed (probs.conf and transform.conf will not be processed on the light forwarder). you still will be able to monitor the directory 😉 but you reduce the system load and the footprints in the data caused by splunk
When i clicked enable light forwarder, the splunk web prompted me to restart Splunk. and there was no restart splunk button and i have to go to the Splunk's CLI. So how do i restart splunk using the CLI?
change to SPLUNK_HOME (which is the directory where Splunk is installed) and execute as splunk user:
./bin/splunk restart (on *inx)
\bin\splunk.exe restart (on Windows)
take any cmd (running or not) change dir (eq cd) into your splunk installation directory, change there into bin directory, enter there the following command \"splunk.exe restart\" without the quotes!