Solved: AppFlow Data is not visible in the Citrix App

mmanfred · ‎08-05-2015

I have Splunk 6.2.3, Latest IPFIX and Citrix App and Netscaler 10.x. IPFIX listener is up and netscaler is sending appflow data to it.

I am able to query eventtype=netscaler but the appFlow dashboards seem to be looking for eventtype=netscaler_appflow which does not exist.

sourcetype=ipfix for these events and I see in the eventtypes.conf:
[netscaler_appflow]
search = eventtype=netscaler sourcetype=appflow

there is no sourcetype=appflow.
my input.conf only has the python [ script line
<pre>
[script:\/\/./bin/scripted_inputs/deploy_splunk_ta_netscaler.py]
interval = -1
index=_internal
sourcetype=netscaler:installer
disabled = 0
passAuth = splunk-system-user
</pre>

am I missing a setup step that creates that sourcetype?

mmanfred · ‎08-05-2015

Ah -
Two things:
1 - my inputs.conf needed to be
[ipfix://NetScaler_AppFlow]
sourcetype = appflow
index = netscaler
address = 0.0.0.0
port = 4739
buffer = 1048576
disabled = true
2- when I setup the IPFIX data input i didnt name it NetScaler_AppFlow so the above didnt match

View solution in original post

mmanfred · ‎08-05-2015

Ah -
Two things:
1 - my inputs.conf needed to be
[ipfix://NetScaler_AppFlow]
sourcetype = appflow
index = netscaler
address = 0.0.0.0
port = 4739
buffer = 1048576
disabled = true
2- when I setup the IPFIX data input i didnt name it NetScaler_AppFlow so the above didnt match

AppFlow Data is not visible in the Citrix App

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation