A workaround is using the CLI to read the PCAP. The streamfwd binary location depends on your OS architecture, as detailed in the documentation.
https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/streamfwdcommandlineoptions
streamfwd -r \"{}\"
Although Stream 7.2 lists Splunk 8.0 as supported, direct PCAP uploads are not. That is included in the release notes as a known issue without much information.
https://docs.splunk.com/Documentation/StreamApp/7.2.0/ReleaseNotes/Knownissues
One of the secondary issues is that Splunk Stream assumes that file information passed to Stream is correct before it does regex extraction of the input PCAP filename. When this happens, the input script does not provide any useful information when the regex search fails.
From what I see, the issue comes from the way that Quake passes the data to Stream on stdin.
Value passed to stdin: "<__main__.UnicodePart object at 0x00000000>"
Expected value: "FieldStorage('pcap_file', 'example_filename.pcap', 'example filedata')"
I'd appreciate it if Splunk used something like the following to replace the get_pcap_filename and get_pcap_data functions, so that any related errors returned to the user don't require extra work to search for the issue.
def get_pcap_fileinfo(config, type):
if type not in {'filename', 'filedata'}:
raise Exception("Invalid PCAP information requested.")
upload_parser = re.compile(r'^FieldStorage\(\'pcap_file\',\s\'(?P<filename>[^\']+)\',\s["\'](?P<filedata>.+)["\']\)$')
fileinfo_match = upload_parser.search(config['pcap_file'])
if fileinfo_match:
fileinfo = fileinfo_match.group(type)
else:
raise Exception("Could not extract filename or filedata from user input. Known issue for Splunk 8.0 (Quake) and Stream 7.2 ( STREAM-4235)")
return fileinfo
... View more