Following the Documentation provided by splunk. I inserted the following in the streamfwd.xml file in $Splunk_Home/etc/apps/Splunk_TA_stream/local
*
*
I do have "capture" in the xml script (will not let me add it in their)
But I am getting an error in the file:
Checking configuration...Error while parsing '/opt/splunk/etc/apps/Splunk_TA_stream/local/streamfwd.xml*' :
junk after document element: Line 9 column 0 ; which is the line beginning with capture
Hi w0lverineNOP,
You could try this snippet for your Capture section and see if that gets you up and running:
<Capture>
<Interface>/opt/splunk/pcaps/data.cap</Interface>
<Offline>true</Offline>
<Filter>tcp port 80</Filter>
<Repeat>false</Repeat>
<SysTime>true</SysTime>
<BitsPerSecond>1000000</BitsPerSecond>
</Capture>
Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000
(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)
Regards,
Jackson
Hi w0lverineNOP,
You could try this snippet for your Capture section and see if that gets you up and running:
<Capture>
<Interface>/opt/splunk/pcaps/data.cap</Interface>
<Offline>true</Offline>
<Filter>tcp port 80</Filter>
<Repeat>false</Repeat>
<SysTime>true</SysTime>
<BitsPerSecond>1000000</BitsPerSecond>
</Capture>
Alternatively, if you already have the Splunk_TA_stream set up, and your intention is to perform a one-time ingestion of data from the pcap, you could also trigger streamfwd from the command line with this:
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd -r /opt/splunk/pcaps/data.cap -s localhost:8889 -b 1000000
(This is assuming you're running the command from a system that's got the Splunk_TA_stream installed and enabled, and you're on 64bit Linux. Otherwise substitute the appropriate architecture directory name.)
Regards,
Jackson
Hello,
I tried the second way by command line and it can work, however the first way that change the xml file doesnt work and I dont know why, could you give me some help, thank you very much
The only difference between the XML config and the command line above is the <Filter> and <SysTime> nodes. Try removing those and it should work the same. It could be that your pcap doesn't contain "tcp port 80" packets.
Yes, because I used a proxy and there is nothing in port 80 when I delete the <filter>, it works now and thank you very much
Yes perfect! but which path do I need to be in to run streamfwd? It says:
Streamfwd command not found
I was in in my $Splunk_Home when I ran the command
Updated... 🙂
Well that was well hidden. And I ran the command as directed in the ..../bin folder and I am still getting "streamfwd: command not found" error again.
streamfwd is in the directory. Splunk is running and I ran it as root. ...Give me a few minutes I am going to re-install the whole app again. (I might have fooled with something earlier)
Okay. In the GUI. I get an error once I re-installed the stream app and enabled the streamfwd (had to restart again) it says the following:
Unable to intialize the modular input "streamfwd" defined inside the app "Splunk_TA_stream": Unable to locate suitable script for introspection
I went into the script section and I have 4 scripts (I have no other app installed) and both .py scripts are enabled. Any suggestions?
./streamfwd is the answer ha
That message is a generic XML parsing error. You might want to try opening the file in an XML editor to see what is wrong, or post the entire file here.
I wish I could upload screen captures but I do not have enough points yet. But imagine the above script without the 5. and adding capture at the beginning and the end of the script.
In the streamfwd.xml file do I need to delete the previous xml script in it before I add my capture script into the streamfwd.xml?