Splunk Stream

User Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Configure streams to capture network data

Splunk Stream supports passive capture of network data for a number of protocols. This page discusses how to create stream configurations. These stream configurations determine the characteristics of network data capture that the Stream forwarders perform on the network interface.

How to use streams

In Splunk Stream, a grouping of network event data is called a "stream." You can use the Configure Streams UI to create any number of unique streams for supported network protocols. Stream forwarder retrieves your streams' configurations and captures data on the network interface based on those configurations.

When you create a stream, depending on the stream type, you can:

  • Specify a network protocol and target protocol fields.
  • Create filters to constrain data capture and minimize indexer requirements.
  • Apply aggregation methods for statistical analysis of captured event data.
  • Use content extraction rules to capture subsets of data.
  • Use file extraction to capture files for analysis.
  • Capture full network packets for detailed inspection.

Supported stream types

Splunk Stream supports these stream types:

Stream Type Description
Metadata stream Captures network traffic metadata generated by network and system devices. See Configure metadata streams
Packet stream Captures full network packets based on specific target fields. Enables searches against raw packet data. Supports extraction of packet contents and download of raw packets for detailed inspection. See Configure packet streams
Ephemeral stream Monitor ephemeral (time-limited) streams in Splunk apps that support ephemeral streams via Stream REST API. See Configure Ephemeral streams
Streams that apply aggregation See Configure Streams to apply aggregation
Streams that use content extraction See Configure streams to use content extraction

Stream configuration locations

The streams that you configure using the Configure Streams UI are stored in the KV store. You cannot access them from the file system. You can, however, access individual stream configurations in the KV store using the Stream REST API. See /streams/{stream_id} in the Splunk Stream REST API reference.

Last modified on 03 March, 2022
  Configure metadata streams

This documentation applies to the following versions of Splunk Stream: 7.3.0, 7.4.0, 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters