All Apps and Add-ons

How to troubleshoot why the NetFlow Analytics for Splunk app is not showing any data?

I have installed Splunk and Netflow Analytics for Splunk as well as Netflow Integrator. I have followed the very vague installation documentation to the letter. The App, however, does not show any data. Netflow is receiving packets as expected. What can I possibly be doing wrong?

0 Karma

New Member
  • First you check in Splunk if the ports used for Data Inputs are enabled and listenting.
  • Second use netstat and check if the ports are listening
  • Third you test if the ports are listening from a remote computer. AS the ports are UDP you need to download an utility called PortQry (look it up on Google, it's legit. As I was saying the utility checks if the ports can be accesed remotely
  • Final test is to telnet remotely the indexer on the UDP port and then check the indexes. If everything is ok so far, you need support from NetFlow related to Integrator, you don't have a problem with Splunk or Netflow Analytics for Splunk!
0 Karma

Communicator

Assuming you are receiving NetFlow data on UDP port 9995, try tcpdump to verify inbound data:

tcpdump port 9995

Netstat should also show your ports as listening for NetFlow:
netstat -an | grep 9995

And same as above for whatever port you've configured your flow to syslog port.

Finally, make sure you've created the inputs.conf, as stated in the documentation.

HTH,

-mi

0 Karma

Thank you both for you assistance. I am receiving NetFlow data on UDP port 9995 which I have confirmed is listening. I have configured the UDP data input which is enabled and using flowintegrator as the index. When I view my indexes I can see the event count going up on flowintegrator but my NetFlow API still does not show anything.. no data it says. any other thoughts?

Explorer

If you see event count in index flowintegrator going up, but the App does not show any data, make sure you synchronized time on NetFlow Integrator (NFI) and Splunk. By default the App shows last 60 min, and if your time between NFI and Splunk is not in sync, the data can be out of window.

0 Karma

Communicator

What does your "Output summary", on your NetFlow Integrator screen look like?

Assuming you are running the NFI on the same host that contains a Universal Forwarder (UF), which you've already stated you are, it should contain it's own IP address, and a port, say 10514.

Your inputs file in /opt/splunkforwarder/etc/system/local should read something like this:

[udp://10514]
index = flowintegrator
sourcetype = flowintegrator
disabled = false

Sounds like you are missing the [udp://10514] piece.

Also, where else did you install the TA?

-mi

0 Karma