Stream supports the generic src_content/dest_content fields that represent the "payload" data for certain protocols such as HTTP or TCP. You can also extract specific parts of these fields (or any other textual fields for that matter) with a regular expression using so called "content extraction" feature of Stream. Here's the documentation link for more details: http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/ConfigureStreams#Use_Content_Ex...
Thanks but, there are no fields as src_content/dest_content. Also I have analyzed at the raw stream data in event by event, there is no like that data. Is there any need to more configuration to get more detailed capturing wire data?
src_content/dest_content fields are available only for HTTP and TCP/UDP protocols and not enabled by default - you'll need to go to the Streams Config page and enable them. Also, there's a default field size limit of 10K that you may want to change by setting the MaxFieldSize parameter (see http://docs.splunk.com/Documentation/StreamApp/6.3.2/DeployStreamApp/ConfigureStreamForwarder#Advanc... for more details)
