I've got the latest Splunk Stream app installed & configured to accept Netflow v9 events from my router. This part works fine actually. However, when starting to dig deeper in "useful" fields it seems I'm missing a few...I would expect the Stream App to be able to cope with everything "standard" within v9/IPFIX packets/templates.
When going to the STM App -> Configuration -> Configure Stream -> Netflow -> "Edit" you get this nice list of about 156 fields which I all enabled.
Now I've taken Wireshark capture from the v9 data arriving at my Splunk server and the "template" contains these fields below.
Field (20/23): postNATSourceIPv4Address Type: postNATSourceIPv4Address (225) Length: 4
Field (21/23): postNATDestinationIPv4Address Type: postNATDestinationIPv4Address (226) Length: 4
Field (22/23): postNAPTSourceTransportPort Type: postNAPTSourceTransportPort (227) Length: 2
Field (23/23): postNAPTDestinationTransportPort Type: postNAPTDestinationTransportPort (228) Length: 2
And a typical populated capture would look like this :
Cisco NetFlow/IPFIX Version: 9 Count: 7 SysUptime: 873590.040000000 seconds Timestamp: Jun 22, 2020 10:03:08.000000000 CEST CurrentSecs: 1592812988 FlowSequence: 22 SourceId: 0 FlowSet 1 [id=256] (7 flows) FlowSet Id: (Data) (256) FlowSet Length: 532 [Template Frame: 1] Flow 1 [Duration: 0.000000000 seconds (switched)] StartTime: 873528.130000000 seconds EndTime: 873528.130000000 seconds Packets: 1 Octets: 86 InputInt: 15 OutputInt: 14 SrcAddr: IP.OF.INTERNAL.PC DstAddr: SOME.PUBLIC.ISP.DNSADDRESS Protocol: UDP (17) IP ToS: 0x00 SrcPort: 51020 (51020) DstPort: 53 (53) NextHop: SOME.PUBLIC.ISP.DNSADDRESS DstMask: 0 SrcMask: 0 TCP Flags: 0x00 Destination Mac Address: Router12_12:12:c6 (61:3c:61:31:11:b1) Source Mac Address: ASRockIn_84:01:36 (d0:50:99:84:01:36) Post Source Mac Address: 00:00:00_00:00:00 (00:00:00:00:00:00) Post NAT Source IPv4 Address: MY.PUBLIC.ISP.ADDRESS Post NAT Destination IPv4 Address: SOME.PUBLIC.ISP.DNSADDRESS Post NAPT Source Transport Port: 51020 Post NAPT Destination Transport Port: 53
Looking again at my Splunk Enterprise intstallation, there is this "vocabulaire" file under