I've configured a heavy forwarder and installed the IPFix add-on, but am seeing the following error message when I start things up and I'm not seeing any data get logged to the index:
04-23-2019 17:18:31.413 +0000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/SplunkTAipfix/bin/ipfix.py" WARNING:root:Can't parse Data Set with Template ID: 256 (from DataSource(host='xx.xx.xx.xx', port=50101, observer=xxxxxxxx)) with no template. Data: 8491a0a51723622...
I have read other posts about this error and see that the device we're tee-ing from should send a template every few minutes, but the Arbor Peakflow apparently cannot do this. Has anyone else here ever been successful at getting Arbor IPFix data into splunk? How did you do it? I'm not finding ANYTHING out there on the internet by others who might have done this.
Thanks for any help!
It looks like Arbor Peakflow is a NetFlow/IPFIX receiver and flow analyser, and not an exporter. IPFIX templates are sent along with IPFIX data flow records by flow exporters. What are flow generation devices you'd like to have visibility in Splunk?
Here is another alternative to ingest IPFIX (or any flow formats).
NetFlow Analytics for Splunk App (https://splunkbase.splunk.com/app/489/) together with Technology Add-on for NetFlow (https://splunkbase.splunk.com/app/1838/) and NetFlow Optimizer (NFO) need to receive IPFIX template only once. Then templates are stored internally and used going forward (unless changed on IPFIX exporter), even after NFO restarts.
NetFlow Optimizer is our product, which processes all sorts of flow formats, as well as enriches it where appropriate and forwards to NetFlow Analytics for Splunk for visualization and reporting.
Here the link to download NFO, as well as information on how to install and configure it, and get free evaluation license.
Should you have any questions, please don’t hesitate to reach out and we’ll be happy to help you.