All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I run the Add-on for IPFIX to gather appflow data as a linux daemon?

joelyon
Explorer
‎11-06-2014 12:47 PM

In the README that comes with the Splunk_TA_ipfix, there is this line:

"This add-on captures binary data sent over UDP, decodes it and provides the index-time and search-time extractions for all IPFIX data sources and templates."

"This add-on can parse Cisco Netflow v9+, Citrix Appflow v1+ and other IPFIX streams sent over UDP."

"It can be configured to run from splunkd and stream data directly to Splunk, or to run as a linux daemon streaming data to disk (which can be monitored by Splunk)."

That last part is what I want to do... capture as a linux daemon and ingest by using a Splunk monitor stanza in an inputs.conf on a UF....

No where else in the massive (8 pages) TA documentation does it provide any further information.

,

Reply

jbennett_splunk
Splunk Employee
Splunk Employee
‎11-13-2014 05:09 PM

If anyone had noticed it in the ReadMe, it probably would have been removed from there, as well 😉

At one time in that code's past, there was explicit support for running it separately as a daemon, but I'm pretty sure it "not supported" to run it that way (and I'm not sure it will work anyway, because it's been re-written as a "Modular Input" and expects it's parameters to be passed in that way).

It does have an undocumented --input parameter which can be used to pass the path to an xml file with the configuration in it (that is: modular inputs expect their configuration to be streamed to their stdin as an XML document, but this one can accept the document as a path argument).

There's also a logging.conf.sample file which should show how to log the output to a file.

I'll have a go at documenting how and see if I can get it put in the online documentation, but I wanted to post this much now.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...