All Apps and Add-ons

Need Assistance with Netscaler v11 Appflow


We recently upgraded our netscalers from v10 to v11. Soon after our heavy forwarder running the Splunk_TA_IPFIX_UDP_NIX app started running very high memory. We were also dropping 95%+ appflow data. I started researching and upgraded our Splunk Netscaler app and TA to 5.x on the heavy forwarder. The Splunk_TA_ipfix was really the only component that needed to be upgraded, but I thought since I was upgrading one, I would do both.

I am now receiving appflow data again, but it appears that the format has changed. I no longer see fields such as "Address" which used to indicate which netscaler host the log referenced. I also no longer see a timestamp in the log. I do not know if this these log format changes are due to switching to a modular input for receiving appflow or not.

Any assistance with v11 appflow would be appreciated.



I have been researching and don't know if it is an update to the field names in the IPFIX logs from Netscaler v11 or the difference in the way our Splunk instance is receiving the IPFIX data. Here are some examples of the differences in the log formats:

Splunk_TA_ipfix format:
TimeStamp="2015-11-18T02:37:12"; Template="258"; Observer="0"; Address=""; Port="36010"; observationPointId="1"; exportingProcessId="0"; flowId="431021945"; transactionId="147769152"; connectionId="431021945"; ipVersion="4"; protocolIdentifier="6"; sourceIPv4Address="x.x.x.x"; destinationIPv4Address="y.y.y.y"; sourceTransportPort="52566"; destinationTransportPort="80"; packetDeltaCount="1"; octetDeltaCount="692"; tcpControlBits="24"; flowFlags="67239936"; flowStartMicroseconds="1447835832.015953"; flowEndMicroseconds="1447835833.014935"; ingressInterface="2"; egressInterface="2147483651"; appNameAppID="10348"; appUnitNameAppId="0"; httpResponseForwardTimeToFB="0"; httpResponseForwardTimeToLB="0"; httpRequestUrl="/include/ethicsline/telephone3.png"; httpRequestCookie="cookie=monster"; httpRequestReferer=""; httpRequestMethod="GET"; httpRequestHost=""; httpRequestUserAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C; InfoPath.3)"; httpContentType=""; httpRequestAuthorization=""; httpRequestVia=""; httpRequestXForwardedFor="";

IPFIX Modular Input format:
Sequence="433229920"; Template="258"; observationPointId="1"; exportingProcessId="0"; flowId="448691141"; netscalerTransactionId="154465949"; netscalerConnectionId="448691141"; ipVersion="4"; protocolIdentifier="6"; sourceIPv4Address="x.x.x.x"; destinationIPv4Address="y.y.y.y"; sourceTransportPort="54403"; destinationTransportPort="80"; packetDeltaCount="1"; octetDeltaCount="421"; tcpControlBits="24"; netscalerFlowFlags="67243008"; flowStartMicroseconds="1448037395.930212975"; flowEndMicroseconds="1448037395.930212975"; ingressInterface="2"; egressInterface="2147483651"; netscalerAppNameAppId="10348"; netscalerAppUnitNameAppId="0"; netscalerHttpResForwFB="-2208988800.000000000"; netscalerHttpResForwLB="-2208988800.000000000"; netscalerHttpReqUrl="/favicon.ico"; netscalerHttpReqCookie="cookie=monster"; netscalerHttpReqReferer=""; netscalerHttpReqMethod="GET"; netscalerHttpReqHost=""; netscalerHttpReqUserAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C; InfoPath.3)"; netscalerHttpContentType=""; netscalerHttpReqAuthorization=""; netscalerHttpReqVia=""; netscalerHttpReqXForwardedFor="";

Also Netscaler v11 allows for more information to be exported in the IPFIX appflow log.

0 Karma


I have upload a screenshot but it is not displaying in the post.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...