FAQ
Can I add my own protocols?
No. Splunk Stream does does not provide a mechanism for adding protocols.
How do I direct traffic from Splunk_TA_stream to a specific index?
You can modify inputs.conf
in Splunk_TA_stream/local/
to specify an index.
Note: This applies to all traffic that the particular instance of Splunk_TA_stream
captures.
Can I direct data to specific indices based on protocol?
Splunk Stream does not let you direct data to different indices based on protocol. You can however set up this functionality using props.conf
and transforms.conf
files. For instructions, see Route specific events to a different index.
Can I configure endpoints to listen for specific protocols?
You can configure Stream filters to listen for specific protocols on an endpoint. For example, you can use s_ip (source_ip), which is a common flow attribute, to filter for DNS traffic only on a DNS server. Filtering by hostname is not supported.
Note: There is a chance of duplication if the endpoints can see each other's traffic because the network switch is not restricting traffic to just those packets destined for the endpoint.
In a more advanced configuration, you can deploy renamed copies of splunk_app_stream
and Splunk_TA_stream
and use the Deployment Server to control which endpoints receive which copy. In this case, the renamed Splunk_TA_stream
must have their etc/apps/local/inputs.conf
modified to point to the correct parent app.
Caution: This is a highly custom configuration. We strongly recommended that you consult Splunk Professional Services before you implement this type of configuration.
Why is Splunk_TA_stream installed on the search head by default?
Splunk_TA_stream
is installed on search heads by default in support of single instance deployments.
Splunk_TA_stream
is also installed in $SPLUNK_HOME/etc/deployment-apps
by default. This facilitates use of the deployment server, which can automatically deploy Splunk_TA_stream
to any universal forwarders that you might add to a distributed deployment.
Can I stop Splunk_TA_stream on my search head from capturing data?
You can use the sc_ip field to filter out stream data on the search head. Or you can remove Splunk_TA_stream
from the search head.
Can Stream capture uni-directional traffic (ingress or egress only)?
Stream must see the full TCP connection handshake (and shutdown) to properly determine which is the request and which is the response.
Where on the TA do I set the URL to pull the configuration from splunk_app_stream?
Splunk_TA_stream
communicates at regular intervals with splunk_app_stream
at a specified URL. If the TA detects a configuration change, it sends a GET request to splunk_app_stream
to retrieve the updated configuration. The URL of splunk_app_stream
is specified in Splunk_TA_stream/local/inputs.conf
. See How streamfwd
communicates with splunk_app_stream
.
Can Stream read pcap files?
Stream lets you read pcap files and send structured pcap data to indexers using the streamfwd
command:
./streamfwd -r foo.pcap -s <host><server>
.
See Stream command line options.
Can Stream send raw pcap file data into Splunk Enterprise?
The pcap data that streamfwd
sends to Splunk indexers is structured event data, not raw packet data. See Send PCAP data
Can Stream decrypt packets and application data?
You can use an SSL private key to decrypt data that the streamfwd
binary captures, provided that the data is encrypted using an RSA cipher that uses the same private key.
Can Stream decrypt Diffie-Hellman (SSL key) traffic?
There is no way to capture Diffie-Hellman traffic, regardless of whether the streamfwd
binary is collecting data from a TAP or running on the host itself.
Can I use Chef, Puppet, and other utilities to deploy and manage Stream configuration files?
You can use Chef, Puppet, and other utilities to push the streamfwd
binary out to universal forwarders.
Note: The streamfwd
binary must maintain a connection with splunk_app_stream
to retrieve the stream configuration. So in a Deployment Server + Stream Forwarder scenario we must actively maintain a connection from the universal forwarder (via Deployment Client mechanism, port 8089 by default on the Splunk host) and the Splunk_TA_stream
(port 8000 by default on the splunk_app_stream
instance). In a Puppet, etc. scenario, we must still maintain an active connection from the endpoint to the App for Stream host.
Why won't the streamfwd process start up?
Q: I see the following complaint in the in the forwarder's splunkd.log file:
10-07-2014 16:11:26.140 -0400 INFO ModularInputs - Introspection setup completed for scheme "streamfwd".
10-07-2014 16:11:27.029 -0400 INFO ModularInputs - No stanzas found for scheme "streamfwd" in inputs.conf at script (re)start.
10-07-2014 16:11:27.034 -0400 INFO ExecProcessor - New scheduled exec process: /opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd
10-07-2014 16:11:32.601 -0400 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd" log4cplus:ERROR Unable to open file: /opt/splunk/var/log/splunk/streamfwd.log
.
A: There is currently an assumption made at install time that the copy of Splunk_TA_stream
installed in deployment-apps
will land on a system that has the same directory structure as the source system. To resolve the above issue, modify deployment-apps/Splunk_TA_stream/default/streamfwdlog.conf
to reflect the correct path of the destination forwarders and then redeploy the app.
Everything is set up correctly, but I don't see any events. What's wrong?
1. The streamfwd
binary communicates with splunk_app_stream
at regular intervals to retrieve its configuration. You can find the splunk_app_stream
URL used for this communication at $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/inputs.conf
. If do not receive stream events, make sure that there no firewall rules blocking access to the splunk_app_stream
URL.
2. If the Stream forwarders fail to send data after upgrade, you may see messages similar to this one:
WARN [139650313393920] (HTTPRequestSender.cpp:1485) stream.SplunkSenderHTTPEventCollector - (#7) TCP connection failed: Connection refused
To resolve this, first verify that the Stream forwarder is correctly configured. Then go to the Stream Forward App and update your HEC configuration:
- In the Stream App, open the Distributed Forwarder Management page.
- Select "Install Stream Forwarders".
- Verify the curl command is the same one running on the Stream Forward App.
- Turn off the HEC Autoconfig option.
- Update the Endpoint URLs by manually typing in the HEC (HF or Indexer) URL.
Splunk Stream search syntax | Troubleshooting |
This documentation applies to the following versions of Splunk Stream™: 7.3.0, 7.4.0, 8.0.0
Feedback submitted, thanks!