topic Re: No data captured by NetFlow NetFlowLogic app in All Apps and Add-ons

No data captured by NetFlow NetFlowLogic app

ecovert — Mon, 12 Mar 2012 16:51:38 GMT

I have installed the netflow for splunk app, verified that data is flowing to the server but I do not see any data showing up on dashboard. there is no data for NETFLOW being captured. Where can i go to test?

Re: No data captured by NetFlow NetFlowLogic app

MarioM — Mon, 12 Mar 2012 18:46:27 GMT

if nfdump from the app is capturing properly it should write log files being in the app's directory (netflow/log/nfdump/).

Also check if the listening port is the right one in $SPLUNK_HOME/etc/apps/netflow/default/config.ini.

And last you can search the internal log for any errors:

index=_internal sourcetype=splunkd ("nfdump" OR "netflow")

Re: No data captured by NetFlow NetFlowLogic app

tgow — Mon, 12 Mar 2012 19:01:13 GMT

Did you install the Netflow App on the a Linux box because it only runs on Linux?

Have you configured a data input on the Splunk Server?

You will need to configure either a UDP or TCP Data input on the Splunk Indexer that corresponds to the port you configured on your device sending netflow data, ie: UDP 9996.

Also, according to the README that comes with the Netflow app make sure that the data input is set to a sourcetype of "netflow".

Re: No data captured by NetFlow NetFlowLogic app

ecovert — Mon, 28 Sep 2020 11:32:31 GMT

Here is a little more detailed description"
The landing page for NETFLOW is saying "No results found. Inspect ..." When I look at the search, the inspector is saying that it did not match any results for "sourcetype=netflow | bin _time span=5m | stats sum(num_bytes) AS TotalBytes sum(num_packets) AS TotalPackets avg(bps) AS AvgBps by srcip srcport srcservice dstip dstport dstservice proto proto_name _time router_ip".

When i run that search it return a lot of data.

Re: No data captured by NetFlow NetFlowLogic app

jpriceit — Fri, 20 Apr 2012 18:02:00 GMT

This is the part that I don't understand. I specified port 9990 in the config.ini, and I see that there is a process running nfcapd with "-p 9990" specified. If I add a udp input for splunk on port 9990, nfcapd won't be able to listen on that port since it's already in use.

The cryptic readme says that netflow flows are captured using nfdump (and nfcapd?) and "fed" into splunk. How it's fed? I see 2 file inputs with the netflow app, both with sourcetype already set to netflow. "The app relies on the sourcetype=netflow." isn't very helpful, as it doesn't say what source needs that sourcetype.

Re: No data captured by NetFlow NetFlowLogic app

zoemdoef — Mon, 14 May 2012 10:56:06 GMT

I am also dissapointed in this app, I cant find enough info for it and its frustrating

Re: No data captured by NetFlow NetFlowLogic app

mkehler — Fri, 29 Jun 2012 16:22:39 GMT

can't get this to work at all. any more install notes available?

Re: No data captured by NetFlow NetFlowLogic app

InterMapper — Fri, 29 Jun 2012 17:22:39 GMT

I apologize this does not answer your specific query, but it relates to netflow data in Splunk. I have been using ProQueSys FlowTraq (our partner)for full fidelity netflow data in Splunk. They recently added strong syslog capabilty.
It has multiple OS support, software flows exporters with volume based pricing like Splunk which makes for really flexible flows deployment. You can check it out here.

Re: No data captured by NetFlow NetFlowLogic app

NetFlow_Logic — Fri, 29 Jun 2012 23:49:46 GMT

Splunk for NetFlow App based on nfdump works just fine, and there is nothing wrong with it. Nfdump, being an open source and free, could be painful to install and configure. It also may not be practical even in case of a typical NetFlow volume observed in medium size networks.

You may consider an alternative solution - NetFlow Integrator. Here are some of the main features:

Aggregation rules reduce the volume of data sent to Splunk by the order of magnitudes without losing any infomation for network monitoring and capacity planning
Able to process hundreds of thousands of NetFlow records per second
One instance of NetFlow integrator can receive NetFlow from unlimited number of NetFlow producers - just configure the listening port in NetFlow Integrator, and direct NetFlow traffic from routers, switches, and firewalls to this port.
and many more...

Here are the links to Splunk App and TA:

https://splunkbase.splunk.com/app/489/

https://splunkbase.splunk.com/app/1838/

Re: No data captured by NetFlow NetFlowLogic app

chaker — Fri, 13 Jul 2012 01:15:01 GMT

I agree, these are very unusual instructions. The Netflow app appears to use a file input for etc/apps/netflow/log/nfdump. I do not have a TCP input for the same port nfcap is listening on.

Re: No data captured by NetFlow NetFlowLogic app

jonathanmorcom — Mon, 28 Sep 2020 12:20:41 GMT

the app appears to be missing the index location in inputs.conf.

add this to each stanzer and it will work.

vim /opt/splunk/etc/apps/netflow/default/inputs.conf

add index=netflow_si_traffic to the 3 stanzer in the file and restart splunk.

Re: No data captured by NetFlow NetFlowLogic app

NetFlow_Logic — Mon, 18 Feb 2013 21:22:41 GMT

The underlying technology in this App - nfdump - was replaced with a free limited edition of NetFlow Integrator.

For high volume of NetFlow records you may consider this App and TA

https://splunkbase.splunk.com/app/489/

https://splunkbase.splunk.com/app/1838/