Configure streams to capture network data

Splunk Stream supports passive capture of network data for a number of protocols. This page discusses how to create stream configurations. These stream configurations determine the characteristics of network data capture that the Stream forwarders perform on the network interface.

How to use streams

In Splunk Stream, a grouping of network event data is called a "stream." You can use the Configure Streams UI to create any number of unique streams for supported network protocols. Stream forwarder retrieves your streams' configurations and captures data on the network interface based on those configurations.

When you create a stream, depending on the stream type, you can:

  • Specify a network protocol and target protocol fields.
  • Create filters to constrain data capture and minimize indexer requirements.
  • Apply aggregation methods for statistical analysis of captured event data.
  • Use content extraction rules to capture subsets of data.
  • Use file extraction to capture files for analysis.
  • Capture full network packets for detailed inspection.

Supported stream types

Splunk Stream supports these stream types:

Stream Type Description
Metadata stream Captures network traffic metadata generated by network and system devices. See Configure metadata streams
Packet stream Captures full network packets based on specific target fields. Enables searches against raw packet data. Supports extraction of packet contents and download of raw packets for detailed inspection. See Configure packet streams
Ephemeral stream Monitor ephemeral (time-limited) streams in Splunk apps that support ephemeral streams via Stream REST API. See Configure Ephemeral streams
Streams that apply aggregation See Configure Streams to apply aggregation
Streams that use content extraction See Configure streams to use content extraction

Stream configuration locations

The streams that you configure using the Configure Streams UI are stored in the KV store. You cannot access them from the file system. You can, however, access individual stream configurations in the KV store using the Stream REST API. See /streams/{stream_id} in the Splunk Stream REST API reference.

Configure metadata streams

