topic Re: How to configure the Splunk Flow Collector Setup in Splunk Stream? in All Apps and Add-ons

How to configure the Splunk Flow Collector Setup in Splunk Stream?

seg42 — Tue, 29 Sep 2020 18:47:45 GMT

Hi all!
I am trying to set up the flow collector to ingest netflow into my Splunk instance according to the docs (https://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/ConfigureFlowcollector)

I am running a single instance to implement a PoC, so nothing fancy here.

What I've got so far: I installed Splunk_TA_Stream and fixed the permissions.

I also set up a $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/streamfwd.conf with my ingest settings:

[streamfwd]
netflowReceiver.0.ip = 172.16.1.3
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow

But no matter how I try, the configured port never opens up, shows in netstat or is reachable via nc/telnet.

Any help on how to get this config running would be greatly appreciated!

Re: How to configure the Splunk Flow Collector Setup in Splunk Stream?

seg42 — Sun, 15 Apr 2018 16:40:35 GMT

After a lot of searching around, I found the culprit.

For anyone stumbling into the same problem:
The netflow-Stream has to be enabled on the Splunk Server.
As long as the Stream is not activated in the Stream configuration, the UDP port on the Stream forwarder will not be up and running.

(TBH: This fault is totally on my side, but it would be nice if this behavour would be documented somewhere.)

Re: How to configure the Splunk Flow Collector Setup in Splunk Stream?

niketn — Mon, 16 Apr 2018 08:42:02 GMT

@seg42 go ahead and accept your own answer to mark this question as answered. As far as documentation is concerned Stream App documentation is located at the following location: https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/AboutSplunkAppforStream

Please read through to see whether the above step is actually documented or not. If not you can use the same documentation page to submit a feedback for update. Feedback option is available at the bottom of the page.

Re: How to configure the Splunk Flow Collector Setup in Splunk Stream?

deking_splunk — Mon, 07 Jan 2019 16:21:04 GMT

Hi Seg42

Can you share your configs for this. I'm struggling with exactly the same issue..

Thanks
Derek

Re: How to configure the Splunk Flow Collector Setup in Splunk Stream?

bdiego_splunk — Thu, 25 Apr 2019 23:49:28 GMT

@seg42 Can you please explain the steps you took to "enable the netflow-Stream on the Splunk Server"? Where did you enable it? Which Splunk server (are you using a standalone instance? The extra detail would be very much appreciated by us all. Thanks!

Re: How to configure the Splunk Flow Collector Setup in Splunk Stream?

michaeljorgense — Tue, 14 May 2019 06:16:23 GMT

In the Splunk App for Stream, i.e. not the TA, access the Configuration->Configure Streams menu item from the navigation bar. Scroll down until you find the stream titled "netflow" and choose "edit". Then, in the resulting config screen, ensure that the Mode is set to "enabled". This will enable the stream as described above by @seg42