I have installed Splunk and Netflow Analytics for Splunk as well as Netflow Integrator. I have followed the very vague installation documentation to the letter. The App, however, does not show any data. Netflow is receiving packets as expected. What can I possibly be doing wrong?
Assuming you are receiving NetFlow data on UDP port 9995, try tcpdump to verify inbound data:
tcpdump port 9995
Netstat should also show your ports as listening for NetFlow:
netstat -an | grep 9995
And same as above for whatever port you've configured your flow to syslog port.
Finally, make sure you've created the inputs.conf, as stated in the documentation.
HTH,
-mi
Thank you both for you assistance. I am receiving NetFlow data on UDP port 9995 which I have confirmed is listening. I have configured the UDP data input which is enabled and using flowintegrator as the index. When I view my indexes I can see the event count going up on flowintegrator but my NetFlow API still does not show anything.. no data it says. any other thoughts?
If you see event count in index flowintegrator going up, but the App does not show any data, make sure you synchronized time on NetFlow Integrator (NFI) and Splunk. By default the App shows last 60 min, and if your time between NFI and Splunk is not in sync, the data can be out of window.
What does your "Output summary", on your NetFlow Integrator screen look like?
Assuming you are running the NFI on the same host that contains a Universal Forwarder (UF), which you've already stated you are, it should contain it's own IP address, and a port, say 10514.
Your inputs file in /opt/splunkforwarder/etc/system/local should read something like this:
[udp://10514]
index = flowintegrator
sourcetype = flowintegrator
disabled = false
Sounds like you are missing the [udp://10514] piece.
Also, where else did you install the TA?
-mi