Splunk Enterprise

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS About This Site Community Support Supported Add-ons

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS About This Site Community Support Supported Add-ons

Documentation

Splunk Enterprise

Splunk Enterprise Contents

Get Started

Administer

Search

Manage Knowledge Objects

Leverage REST APIs

Release Notes and Updates

Analytics and Insights

Create Dashboards and Reports

Alert and Respond

Apply Machine Learning

Data Sources

Get Data In

Forward and Process Data

Connect Relational Databases

Collect Stream Data

Install and Configure Splunk Stream

Common Information Model

Splunk Edge Hub

Apps for Mobile Devices

REST API Reference

SPL Search Reference

Splunk Validated Architectures

streamfwd.conf

The following is the spec file for streamfwd.conf.

streamfwd.conf.spec



[streamfwd]
* This is currently the only supported stanza for this spec file.
* All streamfwd.conf settings are incorporated under this single stanza.

clientIpSslHashBytes = <integer>
* Defines number of client IP octets to use for SSL processor thread hash algorithm. (min value = 0; max value = 4)
* Applies only if you have _disabled_ useGlobalSSLSessionKeyCache

duplicatePacketWindow = <integer>
* Defines number of packets cached in memory (using a rolling window) to detect duplicate packets.
* Set this to a value greater than zero to enable automatic deduplication of network packets.

hideCreditCardNumbers = <boolean>
* Masks credit card numbers. Set to false to show all credit card numbers.

mapSslServers = <boolean>
* Set to false to disable automatic caching of SSL server certificates to corresponding servers's IP addresses.

maxEventQueueSize = <integer>
* Defines maximum number of events queued for delivery to Splunk.

maxFieldSize = <bytes>
* Defines maximum size of content field.

maxPacketQueueSize = <integer>
* Defines maximum size for each processing thread's packet queue.

maxTcpReassemblyPacketCount = <integer>
* Defines maximum number of TCP packets in reassembly queue per processing thread.

maxTcpSessionCount = <integer>
* Defines maximum number of concurrent TCP/UDP flows per processing thread.

maxFlows = <integer>
* Defines maximum number of concurrent flows per prcessing thread.

pcapBufferSize = <bytes>
* Defines buffer size for each network device. Increase the number of bytes if you see dropped packets.

pingInterval = <seconds>
* Modifies the ping server interval.

processingThreads = <integer>
* Defines number of threads to use for processing network traffic.

sessionKeyTimeout = <seconds>
* Indicates idle time before SSL session keys expire.

tcpConnectionTimeout = <seconds>
* Indicates idle time before TCP/UDP flows expire.

tcpFlowTimeout = <seconds>
* Indicates idle time before TCP flows expire.

udpFlowTimeout = <seconds>
* Indicates idle time before UDP flows expire.

arpFlowTimeout = <seconds>
* Indicates idle time before ARP flows expire.

ipFlowTimeout = <seconds>
* Indicates idle time before IP flows expire.

useGlobalSSLSessionKeyCache = <boolean>
* Enables sharing of SSL cache across processing threads. Set to true to share.

usePacketMemoryPool = <boolean>
* When set to true, Stream forwarder uses a pool allocator to allot memory for storing network packets.
* Because the pool allocator does not release unused memory back to the operating system, setting this
parameter to true may result in high memory usage.
* Set to true only when Stream forwarder is running on a dedicated capture server that processes large
traffic volumes.

configTemplateName = <value>
* Indicates the product template to use. <value> is the valid name of an installed product template (e.g. es, itsi).

indexer.<N>.uri = <value>
* When running Stream forwarder in Independent agent mode, use this parameter to specify the location of 
Splunk indexers where you want to receive Stream forwarder generated events.
* <value> is a valid URI pointing to a Splunk indexer.

analyzeRawSSL = <value>

creditCardNumbersMask = <value>

creditCardNumbersRegex = <value>

httpEventCollectorToken = <value>

ipAddr = <value>

logConfig = <value>

maxEventAttributes = <value>

packetBatchSize = <value>

port = <value>

sslKey = <value>

fileServerMountPoint = <value>
* Mount point of a file server to save packets into PCAP files for targeted packet capture. This setting is also used for saving files that have been extracted while being transferred over the network.
* If this value is left blank, then the files will not be saved.

fileServerId = <value>
* File server id is used to uniquely identify the file server.
* This value needs to match the file server id set in the search head configuration. 
* If this value does not match with the value set in search head configuration, then the user will not be able to download the file using event flow action. 

maxFlowPacketsToCache = <integer>
* Maximum number of packets per flow to be cached and saved into PCAP files for targeted packet capture. 
* If the packet cache reaches this limit, then the earlier packets will be discarded to maintain this cache limit. This setting helps in managing the memory usage for targeted packet capture. 
* Higher value of this setting, will result in more memory usage.
* Default is 50.

packetSenderQueueSize = <integer>
* Defines number of files to be saved to the file server. If this queue gets full, then overflow of files will be discarded until there is space available to add a new file.
* Slow throughput to the file server could result in this queue getting full quickly.
* Default is 100000.

streamfwdcapture

##############################################################################################################################
# streamfwdcapture
#
# By default, streamfwd listens for traffic on all available network interfaces.
# Using the streamfwdcapture parameter you can restrict data capture to specific interfaces only.
##############################################################################################################################

streamfwdcapture.<N>.bitsPerSecond = <integer>
* Only applies if offline is true.
* Rate limiter: if undefined, defaults to 10 Mbps if <Repeat> is true, else 100 Mbps.

streamfwdcapture.<N>.filter = <BPF>
* Lets you set a BPF (Berkeley Packet Filter) for kernel-level packet filtering. The value of this tag must comply with BPF syntax.
* Only one filter variable per streamfwdcapture parameter is supported.

streamfwdcapture.<N>.interface = <string>
* Specifies a network interface name or a path to a pcap file or a directory of pcap files.

streamfwdcapture.<N>.interfaceRegex = <regex>
* A regular expression specifying which network interfaces to capture.

streamfwdcapture.<N>.offline = <boolean>
* True means use pcap files: interface must be a pcap file or a directory to monitor for pcap files.
* False means interface is a network device name.
* Default is false.

streamfwdcapture.<N>.repeat = <boolean>
* Only applies if interface is a pcap file.
* True means to play back the pcap file repeatedly for continuous load.

streamfwdcapture.<N>.afterIngest = delete | move [<subdir>] | ignore | repeat | stop
* Only applies if interface is a directory.
* Specifies action to take after ingesting a pcap file from the directory.
* delete: Delete the file.
* move [<subdir>]: Move the file to a subdirectory (which will be created if needed).  Default is finished_pcaps.
* ignore: Leave the file but mark it as already processed.
* repeat: Continue to re-ingest all pcap files in rotation.
* stop: Leave the file.  After processing each directory once, stop monitoring.
* Default is move.

streamfwdcapture.<N>.sysTime = <boolean>
* Only applies if offline is true.
* True means to use the system time for packet timestamps instead of actual timestamps from pcap file.  Default is false.

streamfwdcapture.<N>.munge = <boolean>

tcpServer

##############################################################################################################################
# tcpServer
#
# Stream forwarder automatically detects the client and server endpoints when it captures the beginnings of TCP connections.
# If it starts capturing traffic after establishing a TCP connection, Stream forwarder normally assumes that the sender of the
# first packet it sees is the client.
# You can modify this behavior by using the tcpServer parameter to define the endpoints of specific TCP servers.
# If the sender of a packet matches the endpoint, Stream forwarder correctly categorizes it as a server response packet.
##############################################################################################################################

tcpServer.<N>.address = <ip address>

tcpServer.<N>.addressWildCard = <address mask>

tcpServer.<N>.port = <integer>

sslServer

##############################################################################################################################
# sslServer
#
# Stream forwarder detects endpoint encryption, and attempts to decrypt SSL sessions using the available private keys.
# Optionally, you can explicitly define the traffic as encrypted by adding sslServer parameters.
##############################################################################################################################

sslServer.<N>.address = <ip address>

sslServer.<N>.port = <integer>

netflowReceiver

##############################################################################################################################
# netflowReceiver
#
# By default, streamfwd listens for traffic on all available network interfaces.
# Using the netflowReceiver parameter streamfwd can receive flow data (netflow/sflow) from network devices.
##############################################################################################################################

netflowReceiver.<N>.ip = <ip address>
* IP address to bind to. Default uses first available ip

netflowReceiver.<N>.port = <integer>
* Port number to listen for flow data.

netflowReceiver.<N>.decoder = <flow decoder>
* Flow protocol to listen for. Valid values are netflow and sflow

netflowReceiver.<N>.filter = <ip address>
* Comma separated list of ip addresses that are allowed to send flow data to this streamfwd instance. Default allows for all ip's to send data

netflowElement

##############################################################################################################################
#netflowElement
#
# Allows for adding enterprise specific flow elements. This maps enterprise element id to stream forwarder vocabulary term.
# Make sure to add the termid to steamfwd vocabulary in vocabulary.xml file
##############################################################################################################################

netflowElement.<N>.enterpriseid = <integer>
* IANA defined enterprise ID e.g. 25461 for Palo Alto Networks as defined here http://www.iana.org/assignments/enterprise-numbers/enterprise-numbers

netflowElement.<N>.id = <integer>
* ID of Enterprise element e.g. 100

netflowElement.<N>.termid = <vocabulary term>
* streamfwd vocabulary term the above element id maps to e.g. netflow-paloalto.user-id.

Installation Manuals

Splunk Stream

Last updated: April 25, 2025

Explore Topics

Splunk Observability Cloud

Splunk IT Service Intelligence

Splunk Cloud Platform

Splunk Enterprise

Data Management

Splunk Enterprise Security 8

Splunk Enterprise Security 7

Splunk SOAR

Security Offerings

AppDynamics SaaS

About This Site

Community Support

Supported Add-ons

©2005-2025 Splunk Inc. All rights reserved.