SPAN Traffic Not Appearing in Splunk Stream (Indep...

Splunk Enterprise

Hello everyone,

I’m trying to send SPAN traffic from a single interface (ens35) to Splunk Enterprise using the Splunk Stream forwarder in independent mode. The Splunk Stream forwarder and the search head appear to be connected properly, but I’m not seeing any of the SPAN traffic in Splunk.

In the stmfwd.log, I see the following error:

(CaptureServer.cpp:2032) stream.CaptureServer - NetFlow receiver configuration is not set in streamfwd.conf. NetFlow data will not be captured. Please update streamfwd.conf to include correct NetFlow receiver configuration.

However, I’m not trying to capture NetFlow data; I only want to capture the raw SPAN traffic. Here is my streamfwd.conf:

[streamfwd]
httpEventCollectorToken = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
indexer.1.uri = http://splunk-indexer:8088
indexer.2.uri = http://splunk-indexer2:8088

streamfwdcapture.1.interface = ens35

Why is the SPAN traffic not being forwarded to Splunk? How can I configure Splunk Stream properly so that it captures and sends the SPAN traffic to my indexers without any NetFlow setup?

Thank you!

Get Updates on the Splunk Community!

SPAN Traffic Not Appearing in Splunk Stream (Independent Mode)

configuration

troubleshooting

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?