All Apps and Add-ons

No data captured by NetFlow NetFlowLogic app

ecovert
Engager

I have installed the netflow for splunk app, verified that data is flowing to the server but I do not see any data showing up on dashboard. there is no data for NETFLOW being captured. Where can i go to test?

NetFlow_Logic
Contributor

The underlying technology in this App - nfdump - was replaced with a free limited edition of NetFlow Integrator.

For high volume of NetFlow records you may consider this App and TA

https://splunkbase.splunk.com/app/489/

https://splunkbase.splunk.com/app/1838/

0 Karma

jonathanmorcom
Explorer

the app appears to be missing the index location in inputs.conf.

add this to each stanzer and it will work.

vim /opt/splunk/etc/apps/netflow/default/inputs.conf

add index=netflow_si_traffic to the 3 stanzer in the file and restart splunk.

0 Karma

NetFlow_Logic
Contributor

Splunk for NetFlow App based on nfdump works just fine, and there is nothing wrong with it. Nfdump, being an open source and free, could be painful to install and configure. It also may not be practical even in case of a typical NetFlow volume observed in medium size networks.

You may consider an alternative solution - NetFlow Integrator. Here are some of the main features:

  • Aggregation rules reduce the volume of data sent to Splunk by the order of magnitudes without losing any infomation for network monitoring and capacity planning
  • Able to process hundreds of thousands of NetFlow records per second
  • One instance of NetFlow integrator can receive NetFlow from unlimited number of NetFlow producers - just configure the listening port in NetFlow Integrator, and direct NetFlow traffic from routers, switches, and firewalls to this port.
  • and many more...

Here are the links to Splunk App and TA:

https://splunkbase.splunk.com/app/489/

https://splunkbase.splunk.com/app/1838/

0 Karma

InterMapper
Explorer

I apologize this does not answer your specific query, but it relates to netflow data in Splunk. I have been using ProQueSys FlowTraq (our partner)for full fidelity netflow data in Splunk. They recently added strong syslog capabilty.
It has multiple OS support, software flows exporters with volume based pricing like Splunk which makes for really flexible flows deployment. You can check it out here.

0 Karma

tgow
Splunk Employee
Splunk Employee

Did you install the Netflow App on the a Linux box because it only runs on Linux?

Have you configured a data input on the Splunk Server?

You will need to configure either a UDP or TCP Data input on the Splunk Indexer that corresponds to the port you configured on your device sending netflow data, ie: UDP 9996.

Also, according to the README that comes with the Netflow app make sure that the data input is set to a sourcetype of "netflow".

chaker
Contributor

I agree, these are very unusual instructions. The Netflow app appears to use a file input for etc/apps/netflow/log/nfdump. I do not have a TCP input for the same port nfcap is listening on.

0 Karma

jpriceit
Engager

This is the part that I don't understand. I specified port 9990 in the config.ini, and I see that there is a process running nfcapd with "-p 9990" specified. If I add a udp input for splunk on port 9990, nfcapd won't be able to listen on that port since it's already in use.

The cryptic readme says that netflow flows are captured using nfdump (and nfcapd?) and "fed" into splunk. How it's fed? I see 2 file inputs with the netflow app, both with sourcetype already set to netflow. "The app relies on the sourcetype=netflow." isn't very helpful, as it doesn't say what source needs that sourcetype.

0 Karma

MarioM
Motivator

if nfdump from the app is capturing properly it should write log files being in the app's directory (netflow/log/nfdump/).

Also check if the listening port is the right one in $SPLUNK_HOME/etc/apps/netflow/default/config.ini.

And last you can search the internal log for any errors:

index=_internal sourcetype=splunkd ("nfdump" OR "netflow")
0 Karma

mkehler
New Member

can't get this to work at all. any more install notes available?

0 Karma

zoemdoef
New Member

I am also dissapointed in this app, I cant find enough info for it and its frustrating

0 Karma

ecovert
Engager

Here is a little more detailed description"
The landing page for NETFLOW is saying "No results found. Inspect ..." When I look at the search, the inspector is saying that it did not match any results for "sourcetype=netflow | bin _time span=5m | stats sum(num_bytes) AS TotalBytes sum(num_packets) AS TotalPackets avg(bps) AS AvgBps by srcip srcport srcservice dstip dstport dstservice proto proto_name _time router_ip".

When i run that search it return a lot of data.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...