All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Several inputs enabled after Splunk_TA_ipfix installed

mwong
Splunk Employee
Splunk Employee
‎01-12-2015 12:32 AM

After installing the Splunk_TA_ipfix add-on, it is found that several settings are inserted to Splunk inputs. 

C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               [MonitorNoHandle]
C:\matthew\Splunk621\etc\system\default\inputs.conf                             _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               buffer = 10485760
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dc_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_resolve_ad_obj = 0
host = percy
index = default
C:\matthew\Splunk621\etc\system\default\inputs.conf                             interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               port = 4739
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               [SSL]
C:\matthew\Splunk621\etc\system\default\inputs.conf                             _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             allowSslRenegotiation = true
C:\matthew\Splunk621\etc\system\default\inputs.conf                             baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               buffer = 10485760
C:\matthew\Splunk621\etc\system\default\inputs.conf                             cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             evt_dc_name =
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_resolve_ad_obj = 0
C:\matthew\Splunk621\etc\system\local\inputs.conf                               host = percy
C:\matthew\Splunk621\etc\system\default\inputs.conf                             index = default
C:\matthew\Splunk621\etc\system\default\inputs.conf                             interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               port = 4739
C:\matthew\Splunk621\etc\system\default\inputs.conf                             sslQuietShutdown = false
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               [WinEventLog]
C:\matthew\Splunk621\etc\system\default\inputs.conf                             _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               buffer = 10485760
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dc_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_resolve_ad_obj = 0
host = percy
index = default
C:\matthew\Splunk621\etc\system\default\inputs.conf                             interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               port = 4739
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\local\inputs.conf               [WinEventLog://Application]
C:\matthew\Splunk621\etc\system\default\inputs.conf                             _rcvbuf = 1572864
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               address = 0.0.0.0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             baseline = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               buffer = 10485760
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             checkpointInterval = 5
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             current_only = 0
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\local\inputs.conf               disabled = 0
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dc_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_dns_name =
C:\matthew\Splunk621\etc\system\default\inputs.conf                             evt_resolve_ad_obj = 0
host = percy
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             index = wineventlog
C:\matthew\Splunk621\etc\system\default\inputs.conf                             interval = 60
C:\matthew\Splunk621\etc\apps\Splunk_TA_ipfix\default\inputs.conf               port = 4739
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             renderXml = false
C:\matthew\Splunk621\etc\apps\Splunk_TA_windows\default\inputs.conf             start_from = oldest
0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎05-24-2015 11:01 AM

Hello from the future... this is now using modular inputs and doesn't enable inputs by default.

0 Karma
Reply

mwong
Splunk Employee
Splunk Employee
‎01-12-2015 12:42 AM

For the Splunk_TA_ipfix app, the inputs should be modular input, the setting should be like below:

[ipfix://NetScaler_AppFlow]
sourcetype = xxx
index = aaaa
address = 0.0.0.0
port = 4739
buffer = 1048576
disabled = 0

However the default inputs.conf in the app, I would suggest to comment the stanza as it causes all the inputs having some weird settings.

#[ipfix]
#address = 0.0.0.0
#port = 4739
#buffer = 10485760
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...