Hi Everyone,
I am using splunk stream. Packet stream to capture data from source and destination content fields.
For a persistent TCP connection i just cannot seem to break/split in separate events or lines.
Is there no way to so this?
Other advice appreciated.
I am willing to check other alternatives, willing to truncate the data, etc etc etc
Sample event Single TCP Conn Open/Close
{"endtime":"2017-09-17T15:30:47.271015Z","timestamp":"2017-09-17T15:30:36.440073Z","ack_packets_in":4,"ack_packets_out":5,"app":"tcp","bytes":645,"bytes_in":353,"bytes_out":292,"client_rtt":16,"client_rtt_packets":1,"client_rtt_sum":16,"connection":"192.168.100.3:65534","data_packets_in":1,"data_packets_out":0,"dest_ip":"192.168.100.3","dest_port":65534,"duplicate_packets_in":0,"duplicate_packets_out":0,"missing_packets_in":0,"missing_packets_out":0,"network_interface":"lo0","packets_in":6,"packets_out":5,"protocol_stack":"ip:tcp:unknown","server_rtt":40,"server_rtt_packets":2,"server_rtt_sum":81,"src_ip":"192.168.100.3","src_port":51448,"tcp_status":0,"time_taken":10830958,"SRCCNT":"68656c6c6f"}
Sample Event TCP persistent Stream
{"endtime":"2017-09-17T15:32:06.278243Z","timestamp":"2017-09-17T15:30:57.342570Z","ack_packets_in":3,"ack_packets_out":158,"app":"tcp","bytes":18484,"bytes_in":9624,"bytes_out":8860,"client_rtt":14,"client_rtt_packets":1,"client_rtt_sum":14,"connection":"192.168.100.3:65534","data_packets_in":153,"data_packets_out":0,"dest_ip":"192.168.100.3","dest_port":65534,"duplicate_packets_in":0,"duplicate_packets_out":0,"missing_packets_in":0,"missing_packets_out":0,"network_interface":"lo0","packets_in":157,"packets_out":158,"protocol_stack":"ip:tcp:unknown","server_rtt":33,"server_rtt_packets":154,"server_rtt_sum":5226,"src_ip":"192.168.100.3","src_port":51475,"tcp_status":0,"time_taken":68935687,"SRCCNT":"68656c6c6f68656c6c6f68656c6c6f68656c6c6f68656c6c6f68656c6c6f68656c6c6f68656c6c6f68656c6c6f68656c6c6f68656c6c6f68656c6c6f68656c6c6f"}
I need the above stream to be broken up into separate events. Sorta like a wireshark view
Thank You & appreciate any and all ideas/assistance.
Pinaki
↧