Hello Spelunkers,
I have a PCAP file that contains only netflow data and a directory that is being monitored for PCAPS by Splunk Stream. I would like to be able to ingest this PCAP into Splunk by dropping it into the monitored directory (which is on the same machine as my Splunk instance). I have been able to ingest normal PCAPs without problem from this directory.
I expected to just be able to put this special netflow PCAP into this directory and have the netflow records be searchable. Instead, two events gets indexed, one from source = stream:Splunk_Udp and the other from source = stream:Splunk_IP. The UDP one says app:netflow but has no data that you would associate with netflow while the IP one has netflow information. From what I can tell, stream is treating all of the netflow information we are sending to it as one flow (this makes sense as it is all to and from the same IP). Is there any way to 'dissect' the big flow into the individual netflow records? If I open the PCAP in wireshark I can see each individual netflow record.
Thanks! Asher
... View more