Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

streamfwd command line options

The streamfwd binary that comes with Splunk_TA_stream includes command line options that let you read packets from pcap files, send pcap file data to Splunk indexers, find Windows and Linux network interfaces, and perform several configuration tasks.

streamfwd command line options override the streamfwd.conf configuration file, which by default captures data from all network devices. streamfwd command line options also override any specific capture locations specified by the streamfwdcapture parameter in streamfwd.conf.

Note: You do not need root privileges to run streamfwd commands.

Location of streamfwd.conf

streamfwd looks for streamfwd.conf in these locations:

  • Current working directory
  • $CWD/etc/local
  • $CWD/config (for legacy purposes)
  • /etc/streamfwd/local
  • $STREAMFWD_PATH/etc/local
  • $STREAMFWD_PATH/../../etc/local (this location is typically used for a Splunk_TA_stream deployment).

Note: On Windows, the app reports service errors (such as configuration file not found) to the Windows Event log.

List network interfaces

Use this option to view all network interfaces on Windows or Linux machines:

--iflist

For example, on a Windows machine:

C:\Splunk_Home\etc\apps\Splunk_TA_stream\windows_x86_64\bin>streamfwd.exe --iflist
<Sniffer>
  <Interface>
    <Name>\Device\NPF_{D6995D00-B75C-48DB-99AA-69F0150126BC}</Name>
    <Alias>Local Area Connection</Alias>
    <Description>Intel(R) PRO/1000 MT Network Connection</Description>
  </Interface>
</Sniffer>

Read pcap files

Use this option to read the contents of a pcap file:

-r <PCAP_FILE>

For example:

./streamfwd -r my.pcap

You can use the -r option multiple times to specify multiple pcap files to read in parallel. The -r option is implied if one of your arguments is a valid pcap file name. The following is functionally equivalent to the above example:

./streamfwd my.pcap

If you provide a pcap file without an -s option, streamfwd assumes "-s localhost:8889". Both of these examples send the data that the pcap file contains to the streamfwd modular input running on the same server.

Note: Splunk App for Stream does not support the Wireshark pcapng format. To use these files with Stream, you must convert pcapng to pcap format.

Set bitrate

Use this option to set a bitrate for how fast each pcap file is read:

-b <BITS_PER_SECOND>

By default, the bitrate is 10 Mbps if --repeat (see below) is enabled, otherwise it is unlimited (as fast as possible).

Use system time

This option causes streamfwd to use the system clock time for each packet read, instead of using the timestamps within pcap files.

--systime

Repeat pcap files

Use this option to cause streamfwd to continuously repeat pcap files until it is terminated:

--repeat

For example, to continuously repeat two pcap files at the rate of 1 Mbps each (2 Mbps total):

./streamfwd -r my.pcap -r your.pcap -b 1048576 --repeat

Get streamfwd version

Use this option to get the current streamfwd version:

--version

./streamfwd --version
streamfwd version 6.0.0 build 450

Modular input scheme

Use this option to print the modular input scheme:

--scheme

./streamfwd --scheme
<scheme><title>Wire data</title><description>Passively capture wire data from network traffic.</description><use_external_validation>true</use_external_validation><use_single_instance>true</use_single_instance><streaming_mode>xml</streaming_mode><endpoint><args><arg name="splunk_stream_app_location"><title>Splunk App for Stream Location</title><description>URI including full path to splunk_app_stream installation (i.e. http://localhost:8000/dj/en-us/splunk_app_stream)</description><validation>validate(match('splunk_stream_app_location', '^https?://.+'), 'Location must start with http:// or https://')</validation></arg></args></endpoint></scheme>

Validate modular input arguments

Use this option to validate modular input arguments passed via STDIN:

--validate-arguments

Manage SSL keys

Use this option to view existing SSL keys:

--sslkeylist

Use this option to add new SSL keys:

--addsslkey

Use this option to delete existing SSL keys:

--deletesslkey

Note: --sslkeylist and --addsslkey options create local/keystore.db if it does not already exist.

Last modified on 03 November, 2016
Use SSL keys for decryption   Splunk App for Stream REST API

This documentation applies to the following versions of Splunk Stream: 6.5.0, 6.5.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters