Splunk Stream

User Manual

Configure packet streams

Packet streams let you capture raw network packets based on targets that you define. You can run Splunk searches against full packet data, and use workflow actions to download pcap files containing that data to your local machine.

How targeted packet capture works

Packet streams use targeted packet capture to collect full network packets. Unlike metadata streams, which send all data that match the stream to indexers, packet streams capture only those packets that match pre-defined target fields.

When you create a new packet stream, Stream forwarder picks up the packet stream definition, then captures and stores targeted packets in pcap files on a remote file server. Stream forwarder also indexes metadata that identifies the pcap files in searches and workflow actions.

Packet stream prerequisites

Before you can collect data using packet streams, you must map your Splunk Stream deployment to a remote file server. The app uses the file server to store pcap files that Stream forwarder generates based on the packet stream definition. See Configure targeted packet capture in the Splunk Stream Installation and Configuration Manual.

Splunk Stream lets you capture network event data for a variety of network protocols. Make sure to consider your privacy and security obligations when selecting and using a remote file server for Splunk Stream data.

Targeted packet capture is not supported on Splunk Cloud

Create new packet stream

  1. Click New Stream > Packet Stream.
  2. Enter a Name and Description (optional) for the new packet stream.
  3. Click Next.
  4. On the Targets page, click Create New Target.
  5. Configure the new target:
    Field Description
    Field Specify the protocol field that you want to target.
    Comparison Select a comparison type to filter target field data based on specific values.
    Value Enter a value to compare candidate values against.

    A few comparison types, such as "Is defined", do not require a value.

    Any/All Select the condition that events with multiple values for the field must satisfy.
  6. Click Create.
    Your new target appears in the targets list.
  7. Click Next.
  8. On the expiration page, click Add condition.

    Packet stream capture is ephemeral.

  9. Specify the conditions for packet stream expiration. For example, Elapsed Time/1 hour. Click Next.
  10. On the Fields page, enable the fields that you want to include in the packet stream. Click Next.
  11. On the Settings page, configure the following:
    Field Description
    Index Select the index to use for storage of metadata generated by the packet stream.
    Status Choose if the packet stream is Enabled or Disabled upon creation.
  12. Add additional targets. (optional)
  13. Select the match condition (Any/All) for the list of targets. This condition applies to all targets in the list.
  14. Click Next.
  15. Select the forwarder groups to use for this stream. Click Create Stream.
  16. The app creates the new packet stream.

  17. Click Done. This sends your new packet stream configuration to the streamfwd binary where data capture occurs.

Search packet stream data

To run a search against captured packets:

  1. In the Splunk Search and Reporting app, in the Search bar, enter the following event type:

    eventtype="stream_pcapsaved"

  2. Optionally add additional event terms to restrict search results.

Download pcap files

To download pcap files associated with a search:

  1. Expand the Event tab.
  2. Click Event Actions > Download capture file. The pcap file downloads to your local machine.

Create custom (cloned) streams

You can clone any existing streams to create new custom streams. This lets you create variations on your streams and capture data with additional granularity.

When you clone a stream, the app produces an exact duplicate of the original stream, including all enabled fields and existing filters. You can then add additional capture rules, such as aggregation, filters, content extraction, and file extraction.

To create a custom (cloned) stream:

  1. In the Configure Streams UI, click on the name of the stream you want to clone.
  2. Click Clone.
  3. Enter a Name and Description for the new stream. Click OK. The new stream appears in the list of streams in the Configure Streams UI.
  4. Click Enabled to enable capture for the cloned stream.
  5. Click Save.
Last modified on 03 March, 2022
Configure metadata streams   Configure Ephemeral Streams

This documentation applies to the following versions of Splunk Stream: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters