All Apps and Add-ons

How to configure the Splunk Add-on for NetFlow to report the hostname of the device forwarding data, not the heavy forwarder the add-on is running on?

edwardrose
Contributor

Hello All,

I was curious as to how to get the Splunk NetFlow Add-On to report the specific host of the device that is forwarding the data instead of the heavy forwarder which the add-on is running on.

   7/14/15     10:37:37.201 AM      2015-07-14 10:37:37,2015-07-14  10:37:41,3.904,134.86.135.65,147.34.89.129,161,60969,UDP,.A....,0,0,2,232,0,0,2,8,0,0,32,17,0,0,139.181.233.206,0.0.0.0,0,0,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,    0.000,    0.000,    0.000,139.181.233.216,0/0,38,2015-07-14 10:23:16.278
    host = splk-gns-fwd-01.wv.mentorg.com source = /opt/splunk/etc/apps/Splunk_TA_flowfix/nfdump-ascii/nfdump-csv_20150714102355.log sourcetype = netflow

All entries have the host as splk-gns-fwd-01, just want to make sure we get the host filled with the originating host not the forwarder.

thanks
ed

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

you should be able to use local/props.conf to override. http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Propsconf

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...