All Apps and Add-ons

Several inputs enabled after Splunk_TA_ipfix installed

mwong
Splunk Employee
Splunk Employee

After installing the Splunk_TA_ipfix add-on, it is found that several settings are inserted to Splunk inputs.

C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               [MonitorNoHandle]
C:\matthew\Splunk621\etc\system\default\inputs.conf                             _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               buffer = 10485760
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dc_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_resolve_ad_obj = 0
host = percy
index = default
C:\matthew\Splunk621\etc\system\default\inputs.conf                             interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               port = 4739
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               [SSL]
C:\matthew\Splunk621\etc\system\default\inputs.conf                             _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             allowSslRenegotiation = true
C:\matthew\Splunk621\etc\system\default\inputs.conf                             baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               buffer = 10485760
C:\matthew\Splunk621\etc\system\default\inputs.conf                             cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             evt_dc_name =
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_resolve_ad_obj = 0
C:\matthew\Splunk621\etc\system\local\inputs.conf                               host = percy
C:\matthew\Splunk621\etc\system\default\inputs.conf                             index = default
C:\matthew\Splunk621\etc\system\default\inputs.conf                             interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               port = 4739
C:\matthew\Splunk621\etc\system\default\inputs.conf                             sslQuietShutdown = false
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               [WinEventLog]
C:\matthew\Splunk621\etc\system\default\inputs.conf                             _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               buffer = 10485760
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dc_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_resolve_ad_obj = 0
host = percy
index = default
C:\matthew\Splunk621\etc\system\default\inputs.conf                             interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               port = 4739
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\local\inputs.conf               [WinEventLog://Application]
C:\matthew\Splunk621\etc\system\default\inputs.conf                             _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               buffer = 10485760
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             checkpointInterval = 5
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             current_only = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\local\inputs.conf               disabled = 0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dc_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_resolve_ad_obj = 0
host = percy
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             index = wineventlog
C:\matthew\Splunk621\etc\system\default\inputs.conf                             interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               port = 4739
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             renderXml = false
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             start_from = oldest
0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hello from the future... this is now using modular inputs and doesn't enable inputs by default.

0 Karma

mwong
Splunk Employee
Splunk Employee

For the Splunk_TA_ipfix app, the inputs should be modular input, the setting should be like below:

[ipfix://NetScaler_AppFlow]
sourcetype = xxx
index = aaaa
address = 0.0.0.0
port = 4739
buffer = 1048576
disabled = 0

However the default inputs.conf in the app, I would suggest to comment the stanza as it causes all the inputs having some weird settings.

#[ipfix]
#address = 0.0.0.0
#port = 4739
#buffer = 10485760 
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...