All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Multiple Netflow Apps ?

kidoucorp
New Member
‎04-05-2012 12:14 AM

Hi,

I'm using your wonderful app for Netflow, which is working perfectly.

Here is the problem I have since I upgraded to V2.0 :

I run one instance of splunk, but I'm retrieving netflow records from other servers as well.

I want to split the netflows record for each of my server, this way I can look the traffic for a particular server.

What I've donne so far, was to take your app, and rename every reference to "sourcetype=netflow" to "sourcetype=netflow_xxxxx".

So Basically, I have one instance of your netflow app for each of my server.

It was working well on 1.0, but on 2.0, it's not working anymore. I have modified my monitored nfdump.log to go to the index I specified. (netflow_si_traffic_xxxx).

But I'm not getting any result in the dashboard, here is what I'm getting :

This search has completed and has returned 10,000 results by scanning 10,497 events in 0.699 seconds.

The following messages were returned by the search subsystem:

DEBUG: base lispy: [ AND index::netflow_si_traffic_togo ]
DEBUG: search context: user="admin", app="netflow_togo", bs-pathname="/opt/splunk/etc"

Event search : search index=netflow_si_traffic_togo | fields src_ip src_port src_service dst_ip dst_port dst_service proto proto_name router_ip _time num_bytes num_packets bps

If I launch this search manually, I am getting results.

So do you know what could be the problem ? Do you have changed some parameters on nfdump of nfcapd ?

I'm exporting my nfdump.log with the right format (I think) : fmt:%ts %td %pr %sap -> %dap %flg %tos %pkt %byt %pps %bps %bpp %fl %ra

Thanks for your answer

0 Karma
Reply

NetFlow_Logic
Contributor
‎04-19-2012 02:14 AM

You may also consider another App based on 3rd party software - NetFlow Integrator. It is a streaming technology that converts NetFlow to syslog on the fly, thus making it available in Splunk in real time. Sign up for Beta now. Demo App is here:

http://splunk-base.splunk.com/apps/NetFlow-based+Network+Monitoring+(Beta)

Reply

athana
Splunk Employee
Splunk Employee
‎04-05-2012 03:44 PM

In this version (v2.0), I used Splunk summary index technique to improve the searching performance. And therefore, your method of renaming sourcetype=netflow_xxx will not work anymore, because the summary index will rename the sourcetype to 'stash'. What you might be able to do is using a 'host' field in your search to separate between each of your server.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...