Hi,

I've got the latest Splunk Stream app installed & configured to accept Netflow v9 events from my router. This part works fine actually.
However, when starting to dig deeper in "useful" fields it seems I'm missing a few...I would expect the Stream App to be able to cope with everything "standard" within v9/IPFIX packets/templates.

When going to the STM App -> Configuration -> Configure Stream -> Netflow -> "Edit" you get this nice list of about 156 fields which I all enabled.

Now I've taken Wireshark capture from the v9 data arriving at my Splunk server and the "template" contains these fields below.

Field (20/23): postNATSourceIPv4Address
Type: postNATSourceIPv4Address (225)
Length: 4

Field (21/23): postNATDestinationIPv4Address
Type: postNATDestinationIPv4Address (226)
Length: 4

Field (22/23): postNAPTSourceTransportPort
Type: postNAPTSourceTransportPort (227)
Length: 2

Field (23/23): postNAPTDestinationTransportPort
Type: postNAPTDestinationTransportPort (228)
Length: 2

And a typical populated capture would look like this :

Cisco NetFlow/IPFIX
Version: 9
Count: 7
SysUptime: 873590.040000000 seconds
Timestamp: Jun 22, 2020 10:03:08.000000000 CEST
CurrentSecs: 1592812988
FlowSequence: 22
SourceId: 0
FlowSet 1 [id=256] (7 flows)
FlowSet Id: (Data) (256)
FlowSet Length: 532
[Template Frame: 1]
Flow 1
[Duration: 0.000000000 seconds (switched)]
StartTime: 873528.130000000 seconds
EndTime: 873528.130000000 seconds
Packets: 1
Octets: 86
InputInt: 15
OutputInt: 14
SrcAddr: IP.OF.INTERNAL.PC
DstAddr: SOME.PUBLIC.ISP.DNSADDRESS
Protocol: UDP (17)
IP ToS: 0x00
SrcPort: 51020 (51020)
DstPort: 53 (53)
NextHop: SOME.PUBLIC.ISP.DNSADDRESS
DstMask: 0
SrcMask: 0
TCP Flags: 0x00
Destination Mac Address: Router12_12:12:c6 (61:3c:61:31:11:b1)
Source Mac Address: ASRockIn_84:01:36 (d0:50:99:84:01:36)
Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Post NAT Source IPv4 Address: MY.PUBLIC.ISP.ADDRESS
Post NAT Destination IPv4 Address: SOME.PUBLIC.ISP.DNSADDRESS
Post NAPT Source Transport Port: 51020
Post NAPT Destination Transport Port: 53

Looking again at my Splunk Enterprise intstallation, there is this "vocabulaire" file under

opt/splunk/etc/apps/Splunk_TA_stream/default/vocabularies

It contains the "netflow.xml" file with (what I think) all field that can be "interpreted" / "decoded" as the Netflow packets arrive.

<Term id="netflow.postNATSourceIPAddress">
<Term id="netflow.postNATDestinationIPAddress">
<Term id="netflow.postNAPTSourceTransportPort">
<Term id="netflow.postNAPTDestinationTransportPort">

So ... these 4 fields seem to already be part of the default vocabulary ... yet they never show up as any accessible "field" in Splunk ?

In a moment of madness, I've edited the file below and make some additions.

(router = Mikrotik = IANA Vendor ID 14988)

user@splunky:/opt/splunk/etc/apps/Splunk_TA_stream/default# more streamfwd.conf
[streamfwd]
port = 8889
ipAddr = 127.0.0.1

netflowReceiver.0.ip = IP.OF.MY.SPLUNK
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow

netflowElement.0.enterpriseid = 14988
netflowElement.0.id = 225
netflowElement.0.termid = netflow.postNATSourceIPAddress

netflowElement.1.enterpriseid = 14988
netflowElement.1.id = 226
netflowElement.1.termid = netflow.postNATDestinationIPAddress

netflowElement.2.enterpriseid = 14988
netflowElement.2.id = 227
netflowElement.2.termid = netflow.postNAPTSourceTransportPort

netflowElement.3.enterpriseid = 14988
netflowElement.3.id = 228
netflowElement.3.termid = netflow.postNAPTDestinationTransportPort

...then stop/start my Splunk but these fields don't show up with the 156 possible fields under the "stream config" tab (see earlier)

To cut a long story short : Where are these fields ? Why are they not showing up since they are hitting the Splunk Stream App and it seems they are "known"

Thanks!