- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Receiving IPFix data from Arbor: "Can't parse ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Receiving IPFix data from Arbor: "Can't parse data set...with no template"
Hi all,
I've configured a heavy forwarder and installed the IPFix add-on, but am seeing the following error message when I start things up and I'm not seeing any data get logged to the index:
04-23-2019 17:18:31.413 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_ipfix/bin/ipfix.py" WARNING:root:Can't parse Data Set with Template ID: 256 (from DataSource(host='xx.xx.xx.xx', port=50101, observer=xxxxxxxx)) with no template. Data: 8491a0a51723622...
I have read other posts about this error and see that the device we're tee-ing from should send a template every few minutes, but the Arbor Peakflow apparently cannot do this. Has anyone else here ever been successful at getting Arbor IPFix data into splunk? How did you do it? I'm not finding ANYTHING out there on the internet by others who might have done this.
Thanks for any help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
But the question is, how can I get the template in the first place?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like Arbor Peakflow is a NetFlow/IPFIX receiver and flow analyser, and not an exporter. IPFIX templates are sent along with IPFIX data flow records by flow exporters. What are flow generation devices you'd like to have visibility in Splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is another alternative to ingest IPFIX (or any flow formats).
NetFlow Analytics for Splunk App (https://splunkbase.splunk.com/app/489/) together with Technology Add-on for NetFlow (https://splunkbase.splunk.com/app/1838/) and NetFlow Optimizer (NFO) need to receive IPFIX template only once. Then templates are stored internally and used going forward (unless changed on IPFIX exporter), even after NFO restarts.
NetFlow Optimizer is our product, which processes all sorts of flow formats, as well as enriches it where appropriate and forwards to NetFlow Analytics for Splunk for visualization and reporting.
Here the link to download NFO, as well as information on how to install and configure it, and get free evaluation license.
https://www.netflowlogic.com/downloads/
Should you have any questions, please don’t hesitate to reach out and we’ll be happy to help you.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
