I installed the Netflow Analytics for Splunk app and configured inputs.conf and indexes.conf on TA-netflow Add-on.
But i have not any retrieved data. also in tcpdump captures i can see the flow events incoming currently.
where is the missed configurations?
What I have:
NetFlow Optimizer (2.5.0)
Clean Splunk (7.0) + Technology Add-on for NetFlow (3.7.33)
As mentioned in manual (or README file), I made a folder
then made a file
with this code:
[udp://10514] sourcetype = flowintegrator
then restarted splunk... go to inputs amd Enable (it was disabled) UDP data input to port 10514 and restarted splunk again.
After enable input in the code there was an additional line:
[udp://10514] sourcetype = flowintegrator disabled = 0
And in main index there are no any events 😞
You had correctly configured it, based on that main index should start to receive the events. Not sure what is the problem, could it be a permission issue?
./splunk list udp
it should return something like this:
root@ip-172-30-0-193:/opt/splunk/bin# ./splunk list udp
Listening for input on the following UDP ports:
another command for debugging is :
./splunk cmd btool inputs list
it should return among other inputs also something like this:
_rcvbuf = 1572864
disabled = 0
host = ip-172-30-0-193
index = default
sourcetype = flowintegrator
(for test I use windows platform)
For some reason first command return me (I think this is the issue):
Splunk is not listening for input on any UDP input
This command show the same that shows in "Data inputs" in Web GUI or in "Forwarding and receiving"?
Why Splunk is not listening for input if I definitely add this...
In among of return of second command I find only this:
I am curious, what is happening if you add a new input from the GUI "Data inputs"->Local inputs-UDP
for example if you add port 10515
is it listed when you run
./splunk list udp
I made it!
For some reasons clean splunk is using UDP port 10514 and you can't manually add input for this port.
I reconfigured all to use port 10515 and all gone smoothly!
Thank Imrago very much!