Splunk Enterprise

Whitelist network traffic

wbolten
Path Finder

Hi, 

I am using the UF to collect data from the system. Using the following stanza I seem to receive all the information in regards to the bytes sent and received. That is too much information for me. I am interested in traffic generated by a specific process, or processes.

To be able to do this I have currently the following stanza live but it seems to be still sending everything. Not using the whitelist option. I also don't  see the option in the documentation so that would not surprise me. 

[perfmon://Network Adapter WebEx]
counters = Bytes Received/sec;Bytes Sent/sec
instances = *
whitelist = *.webex.com
interval = 60
mode = single
object = Network Interface
index = xxxyyyzzz
useEnglishOnly = true
sourcetype = xxxyyyzzz:Network Adapter
disabled = 0

 What would be the best way, if even possible, to only catch and the network traffic for a specific process or processes? 

Besides traffic I am also interested in other metrics such as errors, dropped packets etc. Maybe I am going about this the wrong way. Any help would be appreciated. 

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...