All Apps and Add-ons

Netflow Analytical App Does not show any data

New Member

Hi All
I installed the Netflow Analytics for Splunk app and configured inputs.conf and indexes.conf on TA-netflow Add-on.
But i have not any retrieved data. also in tcpdump captures i can see the flow events incoming currently.

where is the missed configurations?

BR
Amir

0 Karma

Contributor

Please try to use some other port than 10514, for example 10515 :

[udp://10515]
sourcetype = flowintegrator
disabled = 0

and configure the Optimizer to send to 10515.

0 Karma

New Member

thanks bro
i resolved them.
thanks again!

0 Karma

Motivator

Can you share inputs.conf configuration?

0 Karma

Explorer
[udp://10514]
sourcetype = flowintegrator
disabled = 0
0 Karma

Explorer

What I have:
NetFlow Optimizer (2.5.0)
+
Clean Splunk (7.0) + Technology Add-on for NetFlow (3.7.33)

As mentioned in manual (or README file), I made a folder

$SPLUNK_ROOT/etc/apps/TA-netflow/local

then made a file

$SPLUNK_ROOT/etc/apps/TA-netflow/local/inputs.conf

with this code:

 [udp://10514]
 sourcetype = flowintegrator

then restarted splunk... go to inputs amd Enable (it was disabled) UDP data input to port 10514 and restarted splunk again.

After enable input in the code there was an additional line:

 [udp://10514]
 sourcetype = flowintegrator
 disabled = 0

And in main index there are no any events 😞

0 Karma

Contributor

You had correctly configured it, based on that main index should start to receive the events. Not sure what is the problem, could it be a permission issue?

Please run

cd /opt/splunk/bin
./splunk list udp

it should return something like this:
root@ip-172-30-0-193:/opt/splunk/bin# ./splunk list udp
Listening for input on the following UDP ports:
10514

another command for debugging is :

cd /opt/splunk/bin
./splunk cmd btool inputs list

it should return among other inputs also something like this:

[udp://10514]
_rcvbuf = 1572864
disabled = 0
host = ip-172-30-0-193
index = default
sourcetype = flowintegrator

0 Karma

Explorer

(for test I use windows platform)
For some reason first command return me (I think this is the issue):

Splunk is not listening for input on any UDP input

This command show the same that shows in "Data inputs" in Web GUI or in "Forwarding and receiving"?

Why Splunk is not listening for input if I definitely add this...

In among of return of second command I find only this:

[udp://10514]
0 Karma

Contributor

It should be visible in "Data inputs"->Local inputs-UDP

Is port 10514 listed there?

0 Karma

Explorer
0 Karma

Contributor

I am curious, what is happening if you add a new input from the GUI "Data inputs"->Local inputs-UDP

for example if you add port 10515

is it listed when you run

cd /opt/splunk/bin
./splunk list udp

0 Karma

Explorer

I made it!

For some reasons clean splunk is using UDP port 10514 and you can't manually add input for this port.

I reconfigured all to use port 10515 and all gone smoothly!

Thank Imrago very much!

0 Karma

Contributor

As the problem is resolved, I am moving this solution to Answers. Please accept.

0 Karma

Contributor

Was Splunk restarted after these changes?

0 Karma

Explorer

yes it was

0 Karma