All Apps and Add-ons

[Splunk Stream and NetScaler Appflow] No data forwarded to ad hoc SH or indexers.

edwardrose
Contributor

Hello All,

We were using Splunk_TA_ipfix to collect the NetScaler Appflow logs and send them to our index cluster. With the release of Splunk_TA_citrix_netscaler 7.0.1, it states to collect Appflow logs using Splunk Stream. I am not sure what I am doing wrong. Here is my distributed environment:

2 Non-Clustered ADHOC SH
1 Non-Clustered ES SH
13 Node Index cluster

I installed the NetScaler TA on all SHs and all indexers
I installed Stream one of my ADHOC SH that is not busy
I installed Stream TA on a heavy forwarder that was configured to receive data Appflow data when ipfix TA was installed.

Splunk_TA_stream configuration files:

streamforward.conf:

[streamfwd]
netflowReceiver.0.ip = 0.0.0.0
netflowReceiver.0.port = 4739
netflowReceiver.0.protocol = udp
netflowReceiver.0.decoder = netflow

inputs.conf:

[streamfwd://streamfwd]
splunk_stream_app_location = https://adhoc_sh_1:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id =
disabled = 0

I do not see any data being forwarded to the ad hoc SH nor do I see any data being sent to the indexers for the NetScaler appflow sourcetype. The instructions for collect IPFIX/APPFLOW are as about as clear as mud on a moonless night on a cloudy night in the middle of winter. I know I do not have the inputs setup properly and I am not sure what else I have wrong. Any help would be greatly appreciated.

Thanks,

Ed

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...