All Apps and Add-ons

Can you run the old IPFIX app with the new NetScaler app?

dfronck
Communicator

We upgraded our NetScalers from v9 to v10 so I had to update the NetScaler app to v5. I installed the IPFix v5.0.1 app and it does not work as expected. There are a lot of issues like my host is the heavy forwarder instead of the NetScaler and the source is getting changed to "source = DataSource(address[0], address[1], observer_id)" which appears to be NS_IP:PORT:INSTANCE?

Any way, that's just inconvenient, the real problem is that the app crashes 2, 3, 4 times a day and I have to restart Splunk to get it working again. I have a case open with Splunk. The CRITICAL error that's getting thrown is "UnicodeDecodeError: 'utf8' codec can't decode byte 0x96 in position 967: invalid start byte"; it doesn't like something in our data.

The old v4.8 IPFIX app never had this issue so I was wondering if I could just roll back to that one.

1 Solution

jbennett_splunk
Splunk Employee
Splunk Employee

The data is structured differently, so I don't think it will work.

View solution in original post

jbennett_splunk
Splunk Employee
Splunk Employee

The data is structured differently, so I don't think it will work.

dfronck
Communicator

The good news is that it generates the same error every time so I wrote a script that greps the ipfix logs for the error and restarts splunk whenever it occurs. All of our other logs go into syslog so we're only losing 3 minutes of NetScaler logs 3 or 4 times a day.

I assume I can fix the host in props for the NS app.

Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...