In the README that comes with the Splunk_TA_ipfix, there is this line:
"This add-on captures binary data sent over UDP, decodes it and provides the index-time and search-time extractions for all IPFIX data sources and templates."
"This add-on can parse Cisco Netflow v9+, Citrix Appflow v1+ and other IPFIX streams sent over UDP."
"It can be configured to run from splunkd and stream data directly to Splunk, or to run as a linux daemon streaming data to disk (which can be monitored by Splunk)."
That last part is what I want to do... capture as a linux daemon and ingest by using a Splunk monitor stanza in an inputs.conf on a UF....
No where else in the massive (8 pages) TA documentation does it provide any further information.
,
If anyone had noticed it in the ReadMe, it probably would have been removed from there, as well 😉
At one time in that code's past, there was explicit support for running it separately as a daemon, but I'm pretty sure it "not supported" to run it that way (and I'm not sure it will work anyway, because it's been re-written as a "Modular Input" and expects it's parameters to be passed in that way).
It does have an undocumented --input parameter which can be used to pass the path to an xml file with the configuration in it (that is: modular inputs expect their configuration to be streamed to their stdin as an XML document, but this one can accept the document as a path argument).
There's also a logging.conf.sample file which should show how to log the output to a file.
I'll have a go at documenting how and see if I can get it put in the online documentation, but I wanted to post this much now.