Re: Netflow Analytical App Does not show any data

zargaran · ‎12-18-2017

Hi All
I installed the Netflow Analytics for Splunk app and configured inputs.conf and indexes.conf on TA-netflow Add-on.
But i have not any retrieved data. also in tcpdump captures i can see the flow events incoming currently.

where is the missed configurations?

BR
Amir

imrago · ‎03-27-2018

Please try to use some other port than 10514, for example 10515 :

[udp://10515]
sourcetype = flowintegrator
disabled = 0

and configure the Optimizer to send to 10515.

zargaran · ‎01-21-2018

thanks bro
i resolved them.
thanks again!

hardikJsheth · ‎12-19-2017

Can you share inputs.conf configuration?

DimkoBilanko · ‎01-17-2018

[udp://10514]
sourcetype = flowintegrator
disabled = 0

DimkoBilanko · ‎01-17-2018

What I have:
NetFlow Optimizer (2.5.0)
+
Clean Splunk (7.0) + Technology Add-on for NetFlow (3.7.33)

As mentioned in manual (or README file), I made a folder

$SPLUNK_ROOT/etc/apps/TA-netflow/local

then made a file

$SPLUNK_ROOT/etc/apps/TA-netflow/local/inputs.conf

with this code:

 [udp://10514]
 sourcetype = flowintegrator

then restarted splunk... go to inputs amd Enable (it was disabled) UDP data input to port 10514 and restarted splunk again.

After enable input in the code there was an additional line:

 [udp://10514]
 sourcetype = flowintegrator
 disabled = 0

And in main index there are no any events 😞

imrago · ‎01-18-2018

You had correctly configured it, based on that main index should start to receive the events. Not sure what is the problem, could it be a permission issue?

Please run

cd /opt/splunk/bin
./splunk list udp

it should return something like this:
root@ip-172-30-0-193:/opt/splunk/bin# ./splunk list udp
Listening for input on the following UDP ports:
10514

another command for debugging is :

cd /opt/splunk/bin
./splunk cmd btool inputs list

it should return among other inputs also something like this:

[udp://10514]
_rcvbuf = 1572864
disabled = 0
host = ip-172-30-0-193
index = default
sourcetype = flowintegrator

DimkoBilanko · ‎01-18-2018

(for test I use windows platform)
For some reason first command return me (I think this is the issue):

Splunk is not listening for input on any UDP input

This command show the same that shows in "Data inputs" in Web GUI or in "Forwarding and receiving"?

Why Splunk is not listening for input if I definitely add this...

In among of return of second command I find only this:

[udp://10514]

imrago · ‎01-18-2018

It should be visible in "Data inputs"->Local inputs-UDP

Is port 10514 listed there?

DimkoBilanko · ‎01-18-2018

yes
http://dropmefiles.com/CdMPP

imrago · ‎01-18-2018

I am curious, what is happening if you add a new input from the GUI "Data inputs"->Local inputs-UDP

for example if you add port 10515

is it listed when you run

cd /opt/splunk/bin
./splunk list udp

DimkoBilanko · ‎01-18-2018

I made it!

For some reasons clean splunk is using UDP port 10514 and you can't manually add input for this port.

I reconfigured all to use port 10515 and all gone smoothly!

Thank Imrago very much!

imrago · ‎03-27-2018

As the problem is resolved, I am moving this solution to Answers. Please accept.

imrago · ‎12-18-2017

Was Splunk restarted after these changes?

DimkoBilanko · ‎01-17-2018

yes it was

Netflow Analytical App Does not show any data

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?