Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Use streamfwd command line options

The streamfwd binary that comes with Splunk_TA_stream includes command line options that let you read packets from pcap files, and send pcap file data to Splunk indexers. The pcap data that streamfwd sends to Splunk indexers is structured event data, not raw packet data.

The streamfwd command line options override the streamfwd.xml configuration file, which by default captures data from all network devices. The streamfwd command line options also override any <Capture> clauses in streamfwd.xml.

Note: You do not need root privileges to run streamfwd commands.

Location of configuration file

Use this option to specify the location of the streamfwd.xml configuration file:

-c <CONFIG_FILE>

This overrides the automatic search behavior where streamfwd tries to find the file for you by looking in the following locations:

  • the current working directory
  • $CWD/etc/local
  • $CWD/config (for legacy purposes)
  • /etc/streamfwd/local
  • $STREAMFWD_PATH/etc/local
  • $STREAMFWD_PATH/../../etc/local (this is typically what is used for a Splunk_TA_stream deployment)

Read pcap files

Use this option to read the contents of a pcap file:

-r <PCAP_FILE>

For example: 

./streamfwd -r my.pcap

You can use the -r option multiple times to specify multiple pcap files to read in parallel.

Note: The -r option is implied if one of your arguments is a valid pcap file name. The following is functionally equivalent to the above example: 

./streamfwd my.pcap

Also, if you provide a pcap file without an -s option (see below), streamfwd assumes "-s localhost:8889". Both of these examples send the data contained in the pcap file to the streamfwd modular input process running on the same server.

Set the bitrate

Use this option to set a bitrate for how fast each pcap file is read:

-b <BITS_PER_SECOND>

By default, the bitrate is 10 Mbps if --repeat (see below) is enabled, otherwise it is unlimited (as fast as possible).

Use system time

This option will cause streamfwd to use the system's clock time for each packet read, instead of using the timestamps included within pcap files.

--systime

Repeat pcap files

Use this option to cause streamfwd to continuously repeat pcap files until it is terminated:

--repeat

For example, to continuously repeat two pcap files at the rate of 1 Mbps each (2 Mbps total): 

./streamfwd -r my.pcap -r your.pcap -b 1048576 --repeat

Send pcap data

Use this option to send pcap data to one or more servers:

-s <SERVER>

<SERVER> can take these formats:

  • https://<HOST>:<PORT>
  • http://<HOST>:<PORT>
  • <HOST>:<PORT> (uses the default of unencrypted).

For example, to read a pcap file and send it to a server running on the same machine: 

./streamfwd -r my.pcap -s localhost

Get streamfwd version

Use this option to get the current streamfwd version:

--version 

./streamfwd --version
streamfwd version 6.0.0 build 450

Run as a background process

Use this option to run streamfwd as a background process (or daemon):

-D

Run as a modular input

By default, streamfwd runs as a modular input if there are no command line arguments.

To run streamfwd as a modular input even when command line arguments are given:

--modinput

To run streamfwd stand-alone (not as a modular input) even when there are no (other) command line arguments:

--nomodinput

Modular input scheme

Use this option to print the modular input scheme:

--scheme 

/.streamfwd --scheme
<scheme><title>Wire data</title><description>Passively capture wire data from network traffic.</description><use_external_validation>true</use_external_validation><use_single_instance>true</use_single_instance><streaming_mode>xml</streaming_mode><endpoint><args><arg name="splunk_stream_app_location"><title>Splunk App for Stream Location</title><description>URI including full path to splunk_app_stream installation (i.e. http://localhost:8000/dj/en-us/splunk_app_stream)</description><validation>validate(match('splunk_stream_app_location', '^https?://.+'), 'Location must start with http:// or https://')</validation></arg></args></endpoint></scheme>

Validate modular input arguments

Use this option to validate modular input arguments passed via STDIN:

--validate-arguments

Last modified on 14 March, 2015
Dashboards   Splunk App for Stream REST API

This documentation applies to the following versions of Splunk Stream: 6.0.2, 6.1.0, 6.1.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters