All Apps and Add-ons

Can the Splunk App for Stream extract payload data?

hakansel05
New Member

Hi all,

Can the Splunk App for Stream save and/or extract the payload data? If yes, how can I enable this for stream?

Thanks in advance.

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

Hello,

Stream supports the generic src_content/dest_content fields that represent the "payload" data for certain protocols such as HTTP or TCP. You can also extract specific parts of these fields (or any other textual fields for that matter) with a regular expression using so called "content extraction" feature of Stream. Here's the documentation link for more details: http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/ConfigureStreams#Use_Content_Ex...

0 Karma

hakansel05
New Member

Thanks but, there are no fields as src_content/dest_content. Also I have analyzed at the raw stream data in event by event, there is no like that data. Is there any need to more configuration to get more detailed capturing wire data?

0 Karma

vshcherbakov_sp
Splunk Employee
Splunk Employee

src_content/dest_content fields are available only for HTTP and TCP/UDP protocols and not enabled by default - you'll need to go to the Streams Config page and enable them. Also, there's a default field size limit of 10K that you may want to change by setting the MaxFieldSize parameter (see http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/ConfigureStreamForwarder#Advanc... for more details)

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...