Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Stream App - Ingest Pcap issue

psychogyiokosta
New Member
‎01-09-2020 04:03 AM

I installed Splunk Stream App and i try to ingest a pcap file into Splunk.

Specifically i select: Settings > Data Inputs > Pcap Files: Add New

Then i fill-in the required information as prompted by Splunk guide here: https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/UseStreamtoparsePCAPfiles

and click Next. I can see the file being loaded for a few seconds, but then nothing happens. I can;'t continue to the 2nd and last step of the uploading process "Done".

streamfwd.conf:

[streamfwd]
streamfwdcapture.0.offline = true
streamfwdcapture.0.interface = /path/to/pcap/testbed-13jun.pcap
streamfwdcapture.0.repeat = true

What am i doing wrong? Thank you.

0 Karma
Reply

uagrawal_splunk
Splunk Employee
Splunk Employee
‎01-09-2020 05:14 AM

You are trying to upload the .pcap file or .cap file? In which Splunk version and Stream version you are facing an issue ?

0 Karma
Reply

psychogyiokosta
New Member
‎01-09-2020 05:20 AM

hello, i am using Splunk Enterprise 8.0.0 & Splunk Stream 7.2.0 and i am trying to upload/index a .pcap file yes.

0 Karma
Reply

uagrawal_splunk
Splunk Employee
Splunk Employee
‎01-10-2020 04:38 AM

I came across one known issue of uploading the pcap files from UI: https://docs.splunk.com/Documentation/StreamApp/7.2.0/ReleaseNotes/Knownissues

You can try the following command:

./streamfwd -r pcap_file_path

0 Karma
Reply

psychogyiokosta
New Member
‎01-10-2020 05:28 AM

I believe this issue is related to mine:

https://answers.splunk.com/answers/665596/splunk-stream-app-uploading-a-large-pcap-file-fail.html

Looks like when uploading a large pcap with the UI option, it fails. I need to try with CLI commands as you suggest. I will update as soon as i can. Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...