- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk app for Netflow Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My first step was to send netflow from our Core 6500 cisco switch over port 9996. I then Created a Linux Redhat x64 VM and installed the UniversalForwarder, dropped the "TA" netflow app inside the /etc/apps (Splunk Add-on for Netflow). Setup a listener on port 9996 with a name of netflow. Ran the configure.sh option 1 and setup a forward to our splunk server to port 9996 as well. Went on our Splunk GUI, which is a windows server 2008 R2 and setup a Receiver for port 9996 on the manager and not getting any data. on the Linux machine i checked the /opt/splunkforwarder/bin/splunk list forward-server and shows active. Im assuming it should be forward-server and not search-server.
I even tried just setting up a port UDP 9996 and confirmed i was getting data but it was unreadable and said something about data "Cooked v3". I'm sure its missing something small. inside the bin file the Linux_x86_64_core2 folder is being used. Here is a short grep from the splunkd.log. I searched everywhere for this nfdump-binary but its not there, i wasnt sure if the app should be creating it if its not present. I also know the app is deprecated but was told it should still work. Did not want to get a 3rd party piece if not necessary such as netlogic.
04-14-2014 21:31:32.380 -0400 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_flowfix/bin/flowfix.sh" stat() failed on /opt/splunkforwarder/etc/apps/Splunk_TA_flowfix/nfdump-binary: No such file or directory
04-14-2014 21:31:32.384 -0400 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_flowfix/bin/flowfix.sh" find: /opt/splunkforwarder/etc/apps/Splunk_TA_flowfix/nfdump-binary': No such file or directory/opt/splunkforwarder/etc/apps/Splunk_TA_flowfix/nfdump-binary': No such file or directory
04-14-2014 21:31:32.386 -0400 ERROR ExecProcessor - message from "/opt/splunkforwarder/etc/apps/Splunk_TA_flowfix/bin/flowfix.sh" find:
04-14-2014 21:31:56.434 -0400 WARN TcpOutputFd - Connect to 10.90.100.222:9996 failed. Connection refused
04-14-2014 21:31:56.434 -0400 ERROR TcpOutputFd - Connection to host=10.90.100.222:9996 failed
Thanks in advance for any assistance,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue was missing directories within the Flowfix app. Just create nfdump-binary directory along with nfdump-ascii and works like a charm. Just wanted to point out it works with version 6.0.3 of splunk, and current universal forwarder on linux redhat x64.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue was missing directories within the Flowfix app. Just create nfdump-binary directory along with nfdump-ascii and works like a charm. Just wanted to point out it works with version 6.0.3 of splunk, and current universal forwarder on linux redhat x64.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
