All Apps and Add-ons

How do I run the Add-on for IPFIX to gather appflow data as a linux daemon?

joelyon
Explorer

In the README that comes with the Splunk_TA_ipfix, there is this line:

"This add-on captures binary data sent over UDP, decodes it and provides the index-time and search-time extractions for all IPFIX data sources and templates."

"This add-on can parse Cisco Netflow v9+, Citrix Appflow v1+ and other IPFIX streams sent over UDP."

"It can be configured to run from splunkd and stream data directly to Splunk, or to run as a linux daemon streaming data to disk (which can be monitored by Splunk)."

That last part is what I want to do... capture as a linux daemon and ingest by using a Splunk monitor stanza in an inputs.conf on a UF....

No where else in the massive (8 pages) TA documentation does it provide any further information.

,

jbennett_splunk
Splunk Employee
Splunk Employee

If anyone had noticed it in the ReadMe, it probably would have been removed from there, as well 😉

At one time in that code's past, there was explicit support for running it separately as a daemon, but I'm pretty sure it "not supported" to run it that way (and I'm not sure it will work anyway, because it's been re-written as a "Modular Input" and expects it's parameters to be passed in that way).

It does have an undocumented --input parameter which can be used to pass the path to an xml file with the configuration in it (that is: modular inputs expect their configuration to be streamed to their stdin as an XML document, but this one can accept the document as a path argument).

There's also a logging.conf.sample file which should show how to log the output to a file.

I'll have a go at documenting how and see if I can get it put in the online documentation, but I wanted to post this much now.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...