Configure targeted packet capture
To collect full network packets using targeted packet capture, map your Splunk Stream deployment to a remote file server. Splunk Stream Forwarder uses the file server to store PCAP files that it generates based on packet stream definitions. For more information, see Configure packet streams in the Splunk Stream User Manual.
Map deployment to remote file server
To configure targeted packet capture, you map your Splunk Stream deployment to a remote file server. Before you create new packet streams in the Splunk App for Stream, configure your Stream forwarder and the Splunk Independent Stream Forwarder deployments for targeted packet capture.
1. Set up and mount the file server
- Make sure you have an NFS (or similar) file server volume. To create one, see Set up a NFS server.
- On the host machine running the
streamfwdbinary, mount your file server volume.
2. Add file server parameters to
- Add the server information to the
- Restart Splunk.
fileServerId = <value> fileServerMountPoint = <value>
[streamfwd] fileServerId = nfs://192.168.6.1/packetcaptures fileServerMountPoint = /usr/local/packetcaptures
3. Mount the file server on your search head
On the search head running
splunk_app_stream, create a mount point. For more information, see Setting up a NFS client.
4. Configure a mount point for the file server
- In the Splunk App for Stream UI, click Configuration > File Server Mount Points.
- Click Add File Server.
- Specify the File Server and Mount Point.
- Click Create.
Create new packet streams
After mapping your Splunk Stream deployment to your remote file server, you are ready to create new packets streams and collect full network packets using targeted packet capture.
- In the Splunk App for Stream, click Configuration > Configure Streams.
- Click New Stream > Packet Stream.
- Follow the steps in the workflow wizard to configure your packet stream. For detailed instructions, see Configure packet streams.
Configure file extraction
Configure 10Gbps network capture
This documentation applies to the following versions of Splunk Stream™: 8.0.1, 8.0.2, 8.1.0
Feedback submitted, thanks!