After installing the Splunk_TA_ipfix add-on, it is found that several settings are inserted to Splunk inputs.
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf [MonitorNoHandle]
C:\matthew\Splunk621\etc\system\default\inputs.conf _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf buffer = 10485760
C:\matthew\Splunk621\etc\system\default\inputs.conf evt_dc_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
host = percy
index = default
C:\matthew\Splunk621\etc\system\default\inputs.conf interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf port = 4739
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf [SSL]
C:\matthew\Splunk621\etc\system\default\inputs.conf _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf allowSslRenegotiation = true
C:\matthew\Splunk621\etc\system\default\inputs.conf baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf buffer = 10485760
C:\matthew\Splunk621\etc\system\default\inputs.conf cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf evt_dc_name =
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
C:\matthew\Splunk621\etc\system\local\inputs.conf host = percy
C:\matthew\Splunk621\etc\system\default\inputs.conf index = default
C:\matthew\Splunk621\etc\system\default\inputs.conf interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf port = 4739
C:\matthew\Splunk621\etc\system\default\inputs.conf sslQuietShutdown = false
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf [WinEventLog]
C:\matthew\Splunk621\etc\system\default\inputs.conf _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf buffer = 10485760
C:\matthew\Splunk621\etc\system\default\inputs.conf evt_dc_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
host = percy
index = default
C:\matthew\Splunk621\etc\system\default\inputs.conf interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf port = 4739
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\local\inputs.conf [WinEventLog://Application]
C:\matthew\Splunk621\etc\system\default\inputs.conf _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf buffer = 10485760
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf checkpointInterval = 5
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf current_only = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\local\inputs.conf disabled = 0
C:\matthew\Splunk621\etc\system\default\inputs.conf evt_dc_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf evt_resolve_ad_obj = 0
host = percy
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf index = wineventlog
C:\matthew\Splunk621\etc\system\default\inputs.conf interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf port = 4739
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf renderXml = false
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf start_from = oldest
Hello from the future... this is now using modular inputs and doesn't enable inputs by default.
For the Splunk_TA_ipfix app, the inputs should be modular input, the setting should be like below:
[ipfix://NetScaler_AppFlow]
sourcetype = xxx
index = aaaa
address = 0.0.0.0
port = 4739
buffer = 1048576
disabled = 0
However the default inputs.conf in the app, I would suggest to comment the stanza as it causes all the inputs having some weird settings.
#[ipfix]
#address = 0.0.0.0
#port = 4739
#buffer = 10485760