topic Re: Issue with NetFlow v9 Templates Not Received by Splunk Stream – Flows Being Dropped in Splunk Search

Issue with NetFlow v9 Templates Not Received by Splunk Stream – Flows Being Dropped

kn450 — Sat, 21 Jun 2025 06:20:49 GMT

Hi Splunk Community,

I'm currently integrating Flowmon ndr as a NetFlow data exporter to Splunk Stream, but I’m encountering a persistent issue where Splunk receives the flow data, yet it’s not decoded properly, and flow sets are being dropped due to missing templates.

Here’s the warning from the Splunk log:

```
2025-06-21 08:34:49 WARN [139703701448448] (NetflowManager/NetflowDecoder.cpp:1282) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 258 received for observation domain id 13000 from device 10.x.x.x. Dropping flow data set of size 328
```

Setup details:

Exporter: Flowmon
Collector: Splunk Stream
Protocol: NetFlow v9 (also tested with IPFIX)
Transport: UDP
Template Resend Configuration: Every 4096 packets or 600 seconds

Despite verifying these settings on Flowmon, Splunk continues to report that the template ID (in this case, 258) was never received, causing all related flows to be dropped.

My questions:

1. Has anyone successfully integrated Flowmon with Splunk Stream using NetFlow v9?
2. Is there a known issue with Splunk Stream not handling templates properly from certain exporters?
3. Are there any recommended Splunk Stream configuration tweaks for handling late or infrequent templates?

Any insights, experiences, or troubleshooting tips would be greatly appreciated.

Thanks in advance!

Re: Issue with NetFlow v9 Templates Not Received by Splunk Stream – Flows Being Dropped

livehybrid — Sat, 21 Jun 2025 06:27:06 GMT

Hi @kn450

Splunk Stream requires NetFlow v9/IPFIX templates to be received before it can decode flow records; if templates arrive infrequently or are missed, flows are dropped.

I'm not aware of any specific known issues around this, but I certainly think it is worth configuring Flowmon to send templates much more frequently (ideally every 20–30 seconds, not just every 600 seconds or 4096 packets) and see if this alleviate the issue.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Issue with NetFlow v9 Templates Not Received by Splunk Stream – Flows Being Dropped

kn450 — Sat, 21 Jun 2025 06:53:42 GMT

I changed the time and the pack size, but the problem still exists.

Re: Issue with NetFlow v9 Templates Not Received by Splunk Stream – Flows Being Dropped

uthornander_spl — Fri, 11 Jul 2025 14:51:03 GMT

There currently is an issue with NF 9 and STREAM 8.1.5.
I suggest downgrading until there's a newer release.