We have the Splunk Add-on for IPFIX installed on one of our Heavy Forwarders.
I got noticed that one of the Python scripts is causing a daily crash of that HWF host.
-Path of the .py script:
-Checked splunkd.log in the heavy-weight forwarder, could not find any information related to
-Checked appflow.log, log had stopped for more than 20h. Also find some error like this:
TimeStamp="2016-03-02T20:35:33"; Template="265"; Observer="0"; Address=""; Port="<>"; ParseError="Template not known (yet).";
-Checked debug.log, it is full of
Have not implemented parsing for 'None' of length 8 (5951:319) which is needed for template 284.
-Ping the Netscaler, PING OK
-Restarted host and Splunk heavy-weight forwarder, still with no luck.
Has anyone seen this before?
Any advice will be much appreciated!
Thank you very much in advance.
Each time restarting Splunk. That python script stop for about 10 mins. then it will starting running again and use 100% of CPU. The memory also keep increasing from 0% to 70%. Not long after, the host will crash.
I had confirmed there is enough HDD space for running the script.
But why the python script use all CPU and the memory ever increasing and eventually crash the host?
Could it be ipfix_collector.py script doesn't have permission to write into the disk?
hi, you're getting this error because you need to add enterprise information elements for the device you're trying to parse data from.
Thanks for your response. Likely we have not configure template for this Citrix device yet. That partially answers my question.
We have another HWF which is receiving template correctly, but the ipfix_collector.py script still progressively growing in memory usage(Same memory issue as my earlier comment. It used 100% CPU, and memory grow gradually...). Is this expected for this python script?
Hi anyone there.
So how to configure template for Citrix device?