Good day everyone,
I'm having trouble in configuring or setting up the Netflow app for Splunk.
I have already downloaded the nfdump and the splunk app in my machine(Linux Mint 64bit). Already put an ip address and udp port 9800 in my data inputs in splunk, also edited the config file of netflow
[nfcapd] # UDP port to listen for incoming netflow. #port = 9996 port = 9800
I have also chosen the sourcetype to be in netflow as said in the readme. Restarted splunk multiple times already. Still can't get results from the netflow app dashboards.
Can someone guide or help me to do this ? Is there something i need to input in linux command line in order for the dumps to capture. I'm currently pinging the ip and tcpdump on the linux machine. i tried running nfdump but it shows only this :
nfdump Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows Open file '<stdin>': bad magic: 0xA
Thanks fellow Splunkers
what do you mean by "downloaded the nfdump"? because it is already in the app
are you on 32bit OS?
By default, the NetFlow app only works on Linux 64-bit platforms (due to issues with nfdump binary compatibility). If you want to run this app on 32-bit platforms, rename two binary files "nfcapd_linux32" and "nfdump_linux32" to "nfcapd" and "nfdump", respectively. These files are located in the NetFlow app's "bin" directory, which is $SPLUNK_HOME/etc/apps/netflow/bin . Following is an example of how to rename the files within the directory: $ cd $SPLUNK_HOME/etc/apps/netflow/bin $ mv nfcapd_linux32 nfcapd $ mv nfdump_linux32 nfdump
im running in 64bit, i download the nfdump using apt-get. sorry i didnt know it was already in the app. forgot to indicate that im on 64bit.
then just remove the one you installed and all you need is to configure the $SPLUNK_HOME/etc/apps/netflow/default/config.ini and restart splunk
thanks again @MarionM here's what ive got
09-19-2012 15:33:48.963 +0800 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netflow/bin/nfcapd.py" Terminated due to errors.
09-19-2012 15:34:48.751 +0800 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/netflow/bin/nfcapd.py" Receive socket error: could not open the requested socket
does this means its working ? do i need to configure more ?
it sounds something is already listening on the port you specified in the config.ini (did you remove properly the nfdump apt package?) or you are not running splunk as sudo root.