We are running Splunk Stream 7.3. In _internal sourcetype=stream:log we see the following warning messages:
" NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 256 received for observation domain id xyz from device 172.x.y.z . Dropping flow data set of size xxxx..."
Netflow exporters are configured to send out their templates every so many seconds. Eventually the netflow exporter will send the template and the warning messages will stop.
My question is whether that data actually dropped or is it cached until the template is received? Am I losing that data? Similar applications that collect netflow (Cisco Stealthwatch, Wireshark) will cache the data until they receive the template. This has implications when load balancing several hundred exporters to an array of Independent Stream Forwarders in order to determine if session persistence is necessary.
