Ingest PCAP files using an Independent Stream Forwarder temp) until the PCAP file is complete, then change the extension name to. You can also use a different file extension name (such as. Note: When ingesting PCAP files from directories, make sure the PCAP is complete before moving the file to the directory so that file data is not truncated. When you use the Splunk Add-on for Stream Forwarders, output is forwarded to indexers using the Splunk Add-on for Stream Wire Data.įor more information, see streamfwd command line options.When you use an Independent Stream Forwarder, the output is sent to indexers by the HTTP event collector. The output behavior behavior of the command depends on the type of Stream forwarder you use in your configuration. streamfwd -pcapdir ~/test_pcap_dir -afteringest repeat To read PCAP file data and send that data to Splunk indexers, you must have Splunk_TA_stream installed. Ingest PCAP files using command line options The PCAP file data is uploaded and sent to the specified index. The destination index for the PCAP file data. The name of the host that will appear in PCAP events. Uses the system time clock as timestamp for each packet read.Ĭontinuously repeats the PCAP file until the streamfwd process is terminated.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |