All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Index Netflow log into a dedicated index

Splunkduck09
Explorer
‎10-20-2025 05:15 PM

Hi,

I have Splunk App Stream (splunk_app_stream) and Splunk Add-on for Stream Forwarders (splunk_TA_stream) installed on the single Splunk instance where server is acting as both indexer and search head.

Splunk App Stream offers various streams out of the box, including Netflow. I've managed to get the Netflow data into the Splunk App Stream using streamfwd.conf on port 2055. 

Netflow stream offered by Splunk App Stream out of the box index data into default index, i would like to change it to a my own dedicated index 'Netflow_logs'. The Splunk App Stream UI offers ac drop down to select your own preferred option, i would like to do this with changing or editing the config file or file manipulation in the /opt/splunk/etc/apps/ splunk_app_stream or in the  /opt/splunk/etc/apps/splunk_TA_stream - not through the UI, not not keen to the API either. 

 

If we are not allowed to edit the out of the box netflow stream offered by Splunk App Stream, is there a way to create a new config file which will configure new stream for example 'netflow_stream' and have it to index into 'netflow_logs' index using file manipulation?

Can someone share some thoughts if this can be achieved using file manipulation? Thanks in advance  

Labels (1)
Labels
Preview file
115 KB
0 Karma
Reply

Splunkduck09
Explorer
‎11-05-2025 09:43 PM

Thank you it was great help, appreciated 

0 Karma
Reply

akkoem
Explorer
‎11-06-2025 12:20 AM

if it helped, I would really appreciate if you could pick my response as solution.  Happy Splunking 🙂 

0 Karma
Reply

akkoem
Explorer
‎10-23-2025 02:25 AM

I don't have a stream app and my lab is not suitable for this at this time. However, I believe we can find the solution after a btool run: Could you run below on the CLI and find where it registers selected index in your server
(I would expect there is an indexes.conf file bundled with the app, and inputs.conf file pointing to that index):

Test below after picking an index from dropdown and grep below for this selected index:

 

#Find which indexes.conf for the picked index is stored 
$SPLUNK_HOME$/bin/splunk btool indexes list --debug 
#Find where is the inputs.conf pointing for the same
$SPLUNK_HOME$/bin/splunk btool inputs list --debug

 

 
This should point you to right place

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...