All Apps and Add-ons

How to configure the Splunk Flow Collector Setup in Splunk Stream?

seg42
Engager

Hi all!
I am trying to set up the flow collector to ingest netflow into my Splunk instance according to the docs (https://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/ConfigureFlowcollector)

I am running a single instance to implement a PoC, so nothing fancy here.

What I've got so far: I installed Splunk_TA_Stream and fixed the permissions.

I also set up a $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/streamfwd.conf with my ingest settings:

[streamfwd]
netflowReceiver.0.ip = 172.16.1.3
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow

But no matter how I try, the configured port never opens up, shows in netstat or is reachable via nc/telnet.

Any help on how to get this config running would be greatly appreciated!

0 Karma
1 Solution

seg42
Engager

After a lot of searching around, I found the culprit.

For anyone stumbling into the same problem:
The netflow-Stream has to be enabled on the Splunk Server.
As long as the Stream is not activated in the Stream configuration, the UDP port on the Stream forwarder will not be up and running.

(TBH: This fault is totally on my side, but it would be nice if this behavour would be documented somewhere.)

View solution in original post

0 Karma

deking_splunk
Splunk Employee
Splunk Employee

Hi Seg42

Can you share your configs for this. I'm struggling with exactly the same issue..

Thanks
Derek

0 Karma

seg42
Engager

After a lot of searching around, I found the culprit.

For anyone stumbling into the same problem:
The netflow-Stream has to be enabled on the Splunk Server.
As long as the Stream is not activated in the Stream configuration, the UDP port on the Stream forwarder will not be up and running.

(TBH: This fault is totally on my side, but it would be nice if this behavour would be documented somewhere.)

0 Karma

bdiego_splunk
Splunk Employee
Splunk Employee

@seg42 Can you please explain the steps you took to "enable the netflow-Stream on the Splunk Server"? Where did you enable it? Which Splunk server (are you using a standalone instance? The extra detail would be very much appreciated by us all. Thanks!

0 Karma

michaeljorgense
Path Finder

In the Splunk App for Stream, i.e. not the TA, access the Configuration->Configure Streams menu item from the navigation bar. Scroll down until you find the stream titled "netflow" and choose "edit". Then, in the resulting config screen, ensure that the Mode is set to "enabled". This will enable the stream as described above by @seg42

0 Karma

niketn
Legend

@seg42 go ahead and accept your own answer to mark this question as answered. As far as documentation is concerned Stream App documentation is located at the following location: https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/AboutSplunkAppforStream

Please read through to see whether the above step is actually documented or not. If not you can use the same documentation page to submit a feedback for update. Feedback option is available at the bottom of the page.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...