Solved: How to configure the Splunk Flow Collector Setup i...

seg42 · ‎03-28-2018

Hi all!
I am trying to set up the flow collector to ingest netflow into my Splunk instance according to the docs (https://docs.splunk.com/Documentation/StreamApp/7.1.1/DeployStreamApp/ConfigureFlowcollector)

I am running a single instance to implement a PoC, so nothing fancy here.

What I've got so far: I installed Splunk_TA_Stream and fixed the permissions.

I also set up a $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/streamfwd.conf with my ingest settings:

[streamfwd]
netflowReceiver.0.ip = 172.16.1.3
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow

But no matter how I try, the configured port never opens up, shows in netstat or is reachable via nc/telnet.

Any help on how to get this config running would be greatly appreciated!

seg42 · ‎04-15-2018

After a lot of searching around, I found the culprit.

For anyone stumbling into the same problem:
The netflow-Stream has to be enabled on the Splunk Server.
As long as the Stream is not activated in the Stream configuration, the UDP port on the Stream forwarder will not be up and running.

(TBH: This fault is totally on my side, but it would be nice if this behavour would be documented somewhere.)

View solution in original post

deking_splunk · ‎01-07-2019

Hi Seg42

Can you share your configs for this. I'm struggling with exactly the same issue..

Thanks
Derek

seg42 · ‎04-15-2018

After a lot of searching around, I found the culprit.

For anyone stumbling into the same problem:
The netflow-Stream has to be enabled on the Splunk Server.
As long as the Stream is not activated in the Stream configuration, the UDP port on the Stream forwarder will not be up and running.

(TBH: This fault is totally on my side, but it would be nice if this behavour would be documented somewhere.)

bdiego_splunk · ‎04-25-2019

@seg42 Can you please explain the steps you took to "enable the netflow-Stream on the Splunk Server"? Where did you enable it? Which Splunk server (are you using a standalone instance? The extra detail would be very much appreciated by us all. Thanks!

michaeljorgense · ‎05-13-2019

In the Splunk App for Stream, i.e. not the TA, access the Configuration->Configure Streams menu item from the navigation bar. Scroll down until you find the stream titled "netflow" and choose "edit". Then, in the resulting config screen, ensure that the Mode is set to "enabled". This will enable the stream as described above by @seg42

niketn · ‎04-16-2018

@seg42 go ahead and accept your own answer to mark this question as answered. As far as documentation is concerned Stream App documentation is located at the following location: https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/AboutSplunkAppforStream

Please read through to see whether the above step is actually documented or not. If not you can use the same documentation page to submit a feedback for update. Feedback option is available at the bottom of the page.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

How to configure the Splunk Flow Collector Setup in Splunk Stream?

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services