We recently upgraded our netscalers from v10 to v11. Soon after our heavy forwarder running the Splunk_TA_IPFIX_UDP_NIX app started running very high memory. We were also dropping 95%+ appflow data. I started researching and upgraded our Splunk Netscaler app and TA to 5.x on the heavy forwarder. The Splunk_TA_ipfix was really the only component that needed to be upgraded, but I thought since I was upgrading one, I would do both.
I am now receiving appflow data again, but it appears that the format has changed. I no longer see fields such as "Address" which used to indicate which netscaler host the log referenced. I also no longer see a timestamp in the log. I do not know if this these log format changes are due to switching to a modular input for receiving appflow or not.
Any assistance with v11 appflow would be appreciated.
Thanks
I have been researching and don't know if it is an update to the field names in the IPFIX logs from Netscaler v11 or the difference in the way our Splunk instance is receiving the IPFIX data. Here are some examples of the differences in the log formats:
Splunk_TA_ipfix format:
TimeStamp="2015-11-18T02:37:12"; Template="258"; Observer="0"; Address="10.36.72.60"; Port="36010"; observationPointId="1"; exportingProcessId="0"; flowId="431021945"; transactionId="147769152"; connectionId="431021945"; ipVersion="4"; protocolIdentifier="6"; sourceIPv4Address="x.x.x.x"; destinationIPv4Address="y.y.y.y"; sourceTransportPort="52566"; destinationTransportPort="80"; packetDeltaCount="1"; octetDeltaCount="692"; tcpControlBits="24"; flowFlags="67239936"; flowStartMicroseconds="1447835832.015953"; flowEndMicroseconds="1447835833.014935"; ingressInterface="2"; egressInterface="2147483651"; appNameAppID="10348"; appUnitNameAppId="0"; httpResponseForwardTimeToFB="0"; httpResponseForwardTimeToLB="0"; httpRequestUrl="/include/ethicsline/telephone3.png"; httpRequestCookie="cookie=monster"; httpRequestReferer="http://inet.alfains.com/bodyho.asp"; httpRequestMethod="GET"; httpRequestHost="inet.alfains.com"; httpRequestUserAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C; InfoPath.3)"; httpContentType=""; httpRequestAuthorization=""; httpRequestVia=""; httpRequestXForwardedFor="";
IPFIX Modular Input format:
Sequence="433229920"; Template="258"; observationPointId="1"; exportingProcessId="0"; flowId="448691141"; netscalerTransactionId="154465949"; netscalerConnectionId="448691141"; ipVersion="4"; protocolIdentifier="6"; sourceIPv4Address="x.x.x.x"; destinationIPv4Address="y.y.y.y"; sourceTransportPort="54403"; destinationTransportPort="80"; packetDeltaCount="1"; octetDeltaCount="421"; tcpControlBits="24"; netscalerFlowFlags="67243008"; flowStartMicroseconds="1448037395.930212975"; flowEndMicroseconds="1448037395.930212975"; ingressInterface="2"; egressInterface="2147483651"; netscalerAppNameAppId="10348"; netscalerAppUnitNameAppId="0"; netscalerHttpResForwFB="-2208988800.000000000"; netscalerHttpResForwLB="-2208988800.000000000"; netscalerHttpReqUrl="/favicon.ico"; netscalerHttpReqCookie="cookie=monster"; netscalerHttpReqReferer=""; netscalerHttpReqMethod="GET"; netscalerHttpReqHost="inet.alfains.com"; netscalerHttpReqUserAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C; InfoPath.3)"; netscalerHttpContentType=""; netscalerHttpReqAuthorization=""; netscalerHttpReqVia=""; netscalerHttpReqXForwardedFor="";
Also Netscaler v11 allows for more information to be exported in the IPFIX appflow log.
I have upload a screenshot but it is not displaying in the post.