All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I run the Add-on for IPFIX to gather appflow data as a linux daemon?

joelyon
Explorer
‎11-06-2014 12:47 PM

In the README that comes with the Splunk_TA_ipfix, there is this line:

"This add-on captures binary data sent over UDP, decodes it and provides the index-time and search-time extractions for all IPFIX data sources and templates."

"This add-on can parse Cisco Netflow v9+, Citrix Appflow v1+ and other IPFIX streams sent over UDP."

"It can be configured to run from splunkd and stream data directly to Splunk, or to run as a linux daemon streaming data to disk (which can be monitored by Splunk)."

That last part is what I want to do... capture as a linux daemon and ingest by using a Splunk monitor stanza in an inputs.conf on a UF....

No where else in the massive (8 pages) TA documentation does it provide any further information.

,

Reply

jbennett_splunk
Splunk Employee
Splunk Employee
‎11-13-2014 05:09 PM

If anyone had noticed it in the ReadMe, it probably would have been removed from there, as well 😉

At one time in that code's past, there was explicit support for running it separately as a daemon, but I'm pretty sure it "not supported" to run it that way (and I'm not sure it will work anyway, because it's been re-written as a "Modular Input" and expects it's parameters to be passed in that way).

It does have an undocumented --input parameter which can be used to pass the path to an xml file with the configuration in it (that is: modular inputs expect their configuration to be streamed to their stdin as an XML document, but this one can accept the document as a path argument).

There's also a logging.conf.sample file which should show how to log the output to a file.

I'll have a go at documenting how and see if I can get it put in the online documentation, but I wanted to post this much now.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...