All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Index Netflow log into a dedicated index

Splunkduck09
Explorer
‎10-20-2025 05:15 PM

Hi,

I have Splunk App Stream (splunk_app_stream) and Splunk Add-on for Stream Forwarders (splunk_TA_stream) installed on the single Splunk instance where server is acting as both indexer and search head.

Splunk App Stream offers various streams out of the box, including Netflow. I've managed to get the Netflow data into the Splunk App Stream using streamfwd.conf on port 2055. 

Netflow stream offered by Splunk App Stream out of the box index data into default index, i would like to change it to a my own dedicated index 'Netflow_logs'. The Splunk App Stream UI offers ac drop down to select your own preferred option, i would like to do this with changing or editing the config file or file manipulation in the /opt/splunk/etc/apps/ splunk_app_stream or in the  /opt/splunk/etc/apps/splunk_TA_stream - not through the UI, not not keen to the API either. 

 

If we are not allowed to edit the out of the box netflow stream offered by Splunk App Stream, is there a way to create a new config file which will configure new stream for example 'netflow_stream' and have it to index into 'netflow_logs' index using file manipulation?

Can someone share some thoughts if this can be achieved using file manipulation? Thanks in advance  

Labels (1)
Labels
Preview file
115 KB
0 Karma
Reply

Splunkduck09
Explorer
‎11-05-2025 09:43 PM

Thank you it was great help, appreciated 

0 Karma
Reply

akkoem
Explorer
‎11-06-2025 12:20 AM

if it helped, I would really appreciate if you could pick my response as solution.  Happy Splunking 🙂 

0 Karma
Reply

akkoem
Explorer
‎10-23-2025 02:25 AM

I don't have a stream app and my lab is not suitable for this at this time. However, I believe we can find the solution after a btool run: Could you run below on the CLI and find where it registers selected index in your server
(I would expect there is an indexes.conf file bundled with the app, and inputs.conf file pointing to that index):

Test below after picking an index from dropdown and grep below for this selected index:

 

#Find which indexes.conf for the picked index is stored 
$SPLUNK_HOME$/bin/splunk btool indexes list --debug 
#Find where is the inputs.conf pointing for the same
$SPLUNK_HOME$/bin/splunk btool inputs list --debug

 

 
This should point you to right place

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...