Splunk Stream App - Ingest Pcap issue

psychogyiokosta · ‎01-09-2020

I installed Splunk Stream App and i try to ingest a pcap file into Splunk.

Specifically i select: Settings > Data Inputs > Pcap Files: Add New

Then i fill-in the required information as prompted by Splunk guide here: https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/UseStreamtoparsePCAPfiles

and click Next. I can see the file being loaded for a few seconds, but then nothing happens. I can;'t continue to the 2nd and last step of the uploading process "Done".

streamfwd.conf:

[streamfwd]
streamfwdcapture.0.offline = true
streamfwdcapture.0.interface = /path/to/pcap/testbed-13jun.pcap
streamfwdcapture.0.repeat = true

What am i doing wrong? Thank you.

uagrawal_splunk · ‎01-09-2020

You are trying to upload the .pcap file or .cap file? In which Splunk version and Stream version you are facing an issue ?

psychogyiokosta · ‎01-09-2020

hello, i am using Splunk Enterprise 8.0.0 & Splunk Stream 7.2.0 and i am trying to upload/index a .pcap file yes.

uagrawal_splunk · ‎01-10-2020

I came across one known issue of uploading the pcap files from UI: https://docs.splunk.com/Documentation/StreamApp/7.2.0/ReleaseNotes/Knownissues

You can try the following command:

./streamfwd -r pcap_file_path

psychogyiokosta · ‎01-10-2020

I believe this issue is related to mine:

https://answers.splunk.com/answers/665596/splunk-stream-app-uploading-a-large-pcap-file-fail.html

Looks like when uploading a large pcap with the UI option, it fails. I need to try with CLI commands as you suggest. I will update as soon as i can. Thanks

Splunk Stream App - Ingest Pcap issue

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!