if nfdump from the app is capturing properly it should write log files being in the app's directory (
Also check if the listening port is the right one in
And last you can search the internal log for any errors:
index=_internal sourcetype=splunkd ("nfdump" OR "netflow")
Here is a little more detailed description"
The landing page for NETFLOW is saying "No results found. Inspect ..." When I look at the search, the inspector is saying that it did not match any results for "sourcetype=netflow | bin time span=5m | stats sum(numbytes) AS TotalBytes sum(numpackets) AS TotalPackets avg(bps) AS AvgBps by srcip srcport srcservice dstip dstport dstservice proto protoname time routerip".
When i run that search it return a lot of data.
Did you install the Netflow App on the a Linux box because it only runs on Linux?
Have you configured a data input on the Splunk Server?
You will need to configure either a UDP or TCP Data input on the Splunk Indexer that corresponds to the port you configured on your device sending netflow data, ie: UDP 9996.
Also, according to the README that comes with the Netflow app make sure that the data input is set to a sourcetype of "netflow".
This is the part that I don't understand. I specified port 9990 in the config.ini, and I see that there is a process running nfcapd with "-p 9990" specified. If I add a udp input for splunk on port 9990, nfcapd won't be able to listen on that port since it's already in use.
The cryptic readme says that netflow flows are captured using nfdump (and nfcapd?) and "fed" into splunk. How it's fed? I see 2 file inputs with the netflow app, both with sourcetype already set to netflow. "The app relies on the sourcetype=netflow." isn't very helpful, as it doesn't say what source needs that sourcetype.
I agree, these are very unusual instructions. The Netflow app appears to use a file input for etc/apps/netflow/log/nfdump. I do not have a TCP input for the same port nfcap is listening on.
I apologize this does not answer your specific query, but it relates to netflow data in Splunk. I have been using ProQueSys FlowTraq (our partner)for full fidelity netflow data in Splunk. They recently added strong syslog capabilty.
It has multiple OS support, software flows exporters with volume based pricing like Splunk which makes for really flexible flows deployment. You can check it out here.
Splunk for NetFlow App based on nfdump works just fine, and there is nothing wrong with it. Nfdump, being an open source and free, could be painful to install and configure. It also may not be practical even in case of a typical NetFlow volume observed in medium size networks.
You may consider an alternative solution - NetFlow Integrator. Here are some of the main features:
Here are the links to Splunk App and TA: