I installed Splunk Stream App and i try to ingest a pcap file into Splunk.
Specifically i select: Settings > Data Inputs > Pcap Files: Add New
Then i fill-in the required information as prompted by Splunk guide here: https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/UseStreamtoparsePCAPfiles
and click Next. I can see the file being loaded for a few seconds, but then nothing happens. I can;'t continue to the 2nd and last step of the uploading process "Done".
[streamfwd] streamfwdcapture.0.offline = true streamfwdcapture.0.interface = /path/to/pcap/testbed-13jun.pcap streamfwdcapture.0.repeat = true
What am i doing wrong? Thank you.
I came across one known issue of uploading the pcap files from UI: https://docs.splunk.com/Documentation/StreamApp/7.2.0/ReleaseNotes/Knownissues
You can try the following command:
./streamfwd -r pcap_file_path
I believe this issue is related to mine:
Looks like when uploading a large pcap with the UI option, it fails. I need to try with CLI commands as you suggest. I will update as soon as i can. Thanks