All Apps and Add-ons

How to troubleshoot why the NetFlow Analytics for Splunk app is not showing any data?


I have installed Splunk and Netflow Analytics for Splunk as well as Netflow Integrator. I have followed the very vague installation documentation to the letter. The App, however, does not show any data. Netflow is receiving packets as expected. What can I possibly be doing wrong?

0 Karma

New Member
  • First you check in Splunk if the ports used for Data Inputs are enabled and listenting.
  • Second use netstat and check if the ports are listening
  • Third you test if the ports are listening from a remote computer. AS the ports are UDP you need to download an utility called PortQry (look it up on Google, it's legit. As I was saying the utility checks if the ports can be accesed remotely
  • Final test is to telnet remotely the indexer on the UDP port and then check the indexes. If everything is ok so far, you need support from NetFlow related to Integrator, you don't have a problem with Splunk or Netflow Analytics for Splunk!
0 Karma


Assuming you are receiving NetFlow data on UDP port 9995, try tcpdump to verify inbound data:

tcpdump port 9995

Netstat should also show your ports as listening for NetFlow:
netstat -an | grep 9995

And same as above for whatever port you've configured your flow to syslog port.

Finally, make sure you've created the inputs.conf, as stated in the documentation.



0 Karma


Thank you both for you assistance. I am receiving NetFlow data on UDP port 9995 which I have confirmed is listening. I have configured the UDP data input which is enabled and using flowintegrator as the index. When I view my indexes I can see the event count going up on flowintegrator but my NetFlow API still does not show anything.. no data it says. any other thoughts?


If you see event count in index flowintegrator going up, but the App does not show any data, make sure you synchronized time on NetFlow Integrator (NFI) and Splunk. By default the App shows last 60 min, and if your time between NFI and Splunk is not in sync, the data can be out of window.

0 Karma


What does your "Output summary", on your NetFlow Integrator screen look like?

Assuming you are running the NFI on the same host that contains a Universal Forwarder (UF), which you've already stated you are, it should contain it's own IP address, and a port, say 10514.

Your inputs file in /opt/splunkforwarder/etc/system/local should read something like this:

index = flowintegrator
sourcetype = flowintegrator
disabled = false

Sounds like you are missing the [udp://10514] piece.

Also, where else did you install the TA?


0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...