All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Stream App + Netscaler AddOn: Why are Netflow elements not decoded?

Stan816
Explorer
‎05-05-2022 06:54 AM

Hello everyone,

I am currently working on the integration of Citrix Netscaler to Splunk. I`d like to see the App-/Netflow data in Splunk to use those for traffic balancing.

My setup is as follows:

  • Splunk v8.2.4
  • Splunk App for Stream v 8.0.2 (and the TAs as well)

  • Splunk Add-on for Citrix NetScaler v8.1.1

I was following the docs and installed as described. The files from TA Citrix are copied to stream app (https://docs.splunk.com/Documentation/AddOns/released/CitrixNetScaler/ConfigureIPFIXinputs).

Eventhough - the netflow elements appear, they are not getting decoded and I am seeing this:

Stan816_0-1651758303343.png

Following IANA i was able to figure out that "5951" is ID of manufacturer: https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers (which is Netscaler in this case).
Unfortunately i did not find any documentation on the decoding procedure for those bytes.

While trying to understand what the streamfwd binary does and how the solution is embedded into the python scripts, I stumbled over one interessting fact. in $SPLUNK_HOME/etc/apps/splunk_app_stream/bin/splunk_app_stream/models/vocabulary.py there is a refernce to this URL:
"http://purl.org/cloudmeter/config"
which seems to be involved into decoding somehow. However when i try to open this, it shows 404.

Coming back to the original issue: those Appflows are not decoded. Is there a known solution for this? If not, does anyone know, where those element definitions may be found?

 

Many thanks in advance!

Best

Stan

 

PS: Seems to be related to https://community.splunk.com/t5/All-Apps-and-Add-ons/How-to-decode-netflow-elements-Key-Values-pair/...

 

Tags (1)
0 Karma
Reply

jodros
Builder
‎02-16-2023 06:24 PM

I am having the same issue.  Did you find a resolution?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...