All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Add-on for Netflow: Why are Netflow timestamps interpreted incorrectly by Splunk Enterprise?

msudhindra
Path Finder
‎06-01-2015 04:59 PM

Hi,

We are collecting some test flows from a Cisco ASA, in order to evaluate the feasibility of implementing this app across our entire environment.

We were able to get the app working without any issues, and the search head sees the flows without any issues.

The problem that we are having is that Splunk Enterprise seems to be interpreting the timestamp on a flow, incorrectly.

For example, the raw flow in the nfdump-ascii directory looks like this -

2015-06-01 16:36:31,2015-06-01 16:36:31,0.000,10.0.0.115,30.30.30.30,49649,443,TCP,......,0,0,0,0,0,0,8,7,0,0,0,0,0,0,0.0.0.0,0.0.0.0,0,0,00:00:00:00:00:00,00:00:00:00:0:00,00:00:00:00:00:00,00:00:00:00:00:00,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0, 0.000, 0.000, 0.000,10.10.0.10,0/0,1,2015-06-01 16:36:32.088

When I see the flow in the Splunk UI, it shows up thusly -
alt text

Any idea on what could be wrong ?

Thanks and Regards,
Madan Sudhindra

Preview file
5 KB
Reply
1 Solution
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎06-13-2015 06:39 PM

Hi,

this can be affected by a lot of different settings; the best way to figure out what's going on is to open a support ticket.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

hemendralodhi
Contributor
‎02-19-2017 08:00 PM

Hello Madan,

Can you let me know how you configured the netflow? Did you configure the script using root user? We are not able to see any netflow data in ascii directory?

Thanks
Hemendra

0 Karma
Reply
Solved! Jump to solution

hemendralodhi
Contributor
‎02-19-2017 08:01 PM

I am using port 2056 to receive V9 netflow data.

0 Karma
Reply
Solved! Jump to solution
Solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎06-13-2015 06:39 PM

Hi,

this can be affected by a lot of different settings; the best way to figure out what's going on is to open a support ticket.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...