All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Add-on for Netflow: Why are Netflow timestamps interpreted incorrectly by Splunk Enterprise?

msudhindra
Path Finder
‎06-01-2015 04:59 PM

Hi,

We are collecting some test flows from a Cisco ASA, in order to evaluate the feasibility of implementing this app across our entire environment.

We were able to get the app working without any issues, and the search head sees the flows without any issues.

The problem that we are having is that Splunk Enterprise seems to be interpreting the timestamp on a flow, incorrectly.

For example, the raw flow in the nfdump-ascii directory looks like this -

2015-06-01 16:36:31,2015-06-01 16:36:31,0.000,10.0.0.115,30.30.30.30,49649,443,TCP,......,0,0,0,0,0,0,8,7,0,0,0,0,0,0,0.0.0.0,0.0.0.0,0,0,00:00:00:00:00:00,00:00:00:00:0:00,00:00:00:00:00:00,00:00:00:00:00:00,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0, 0.000, 0.000, 0.000,10.10.0.10,0/0,1,2015-06-01 16:36:32.088

When I see the flow in the Splunk UI, it shows up thusly -
alt text

Any idea on what could be wrong ?

Thanks and Regards,
Madan Sudhindra

Preview file
5 KB
Reply
1 Solution
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎06-13-2015 06:39 PM

Hi,

this can be affected by a lot of different settings; the best way to figure out what's going on is to open a support ticket.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

hemendralodhi
Contributor
‎02-19-2017 08:00 PM

Hello Madan,

Can you let me know how you configured the netflow? Did you configure the script using root user? We are not able to see any netflow data in ascii directory?

Thanks
Hemendra

0 Karma
Reply
Solved! Jump to solution

hemendralodhi
Contributor
‎02-19-2017 08:01 PM

I am using port 2056 to receive V9 netflow data.

0 Karma
Reply
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎06-13-2015 06:39 PM

Hi,

this can be affected by a lot of different settings; the best way to figure out what's going on is to open a support ticket.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...