Select the forwarder groups to use for this stream.This condition applies to all targets in the list. Select the match condition ( Any/All) for the list of targets.Select the index to use for storage of metadata generated by the packet stream.Ĭhoose if the packet stream is Enabled or Disabled upon creation. On the Settings page, configure the following:.On the Fields page, enable the fields that you want to include in the packet stream.Specify the conditions for packet stream expiration.On the expiration page, click Add condition.Your new target appears in the targets list. Select the condition that events with multiple values for the field must satisfy. Select a comparison type to filter target field data based on specific values.Įnter a value to compare candidate values against.Ī few comparison types, such as "Is defined", do not require a value. Specify the protocol field that you want to target. On the Targets page, click Create New Target.Enter a Name and Description (optional) for the new packet stream.Targeted packet capture is not supported on Splunk Cloud Create new packet stream Make sure to consider your privacy and security obligations when selecting and using a remote file server for Splunk Stream data. Splunk Stream lets you capture network event data for a variety of network protocols. See Configure targeted packet capture in the Splunk Stream Installation and Configuration Manual. The app uses the file server to store pcap files that Stream forwarder generates based on the packet stream definition. Stream forwarder also indexes metadata that identifies the pcap files in searches and workflow actions.īefore you can collect data using packet streams, you must map your Splunk Stream deployment to a remote file server. When you create a new packet stream, Stream forwarder picks up the packet stream definition, then captures and stores targeted packets in pcap files on a remote file server. Unlike metadata streams, which send all data that match the stream to indexers, packet streams capture only those packets that match pre-defined target fields. Packet streams use targeted packet capture to collect full network packets. You can run Splunk searches against full packet data, and use workflow actions to download pcap files containing that data to your local machine. Packet streams let you capture raw network packets based on targets that you define.
0 Comments
Leave a Reply. |