SPAN Traffic Not Appearing in Splunk Stream (Indep...

zhtgzق · ‎01-01-2025

Hello everyone,

I’m trying to send SPAN traffic from a single interface (ens35) to Splunk Enterprise using the Splunk Stream forwarder in independent mode. The Splunk Stream forwarder and the search head appear to be connected properly, but I’m not seeing any of the SPAN traffic in Splunk.

In the stmfwd.log, I see the following error:

(CaptureServer.cpp:2032) stream.CaptureServer - NetFlow receiver configuration is not set in streamfwd.conf. NetFlow data will not be captured. Please update streamfwd.conf to include correct NetFlow receiver configuration.

However, I’m not trying to capture NetFlow data; I only want to capture the raw SPAN traffic. Here is my streamfwd.conf:

[streamfwd]
httpEventCollectorToken = xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
indexer.1.uri = http://splunk-indexer:8088
indexer.2.uri = http://splunk-indexer2:8088

streamfwdcapture.1.interface = ens35

Why is the SPAN traffic not being forwarded to Splunk? How can I configure Splunk Stream properly so that it captures and sends the SPAN traffic to my indexers without any NetFlow setup?

Thank you!

SPAN Traffic Not Appearing in Splunk Stream (Independent Mode)

configuration

troubleshooting

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?