Streamfwd after upgrade to 8.1.5 doesn't parse net...

Kim · ‎05-28-2025

Hello, colleagues.

I'm using an independent stream forwarder installed on Ubuntu 22.04.05 as a service.

After updating to 8.1.5 bytes_in, bytes_out, packets_in, packets_out are always equal to zero.

If I stop the service and change /opt/streamfwd/bin/streamfwd from 8.1.5 to 8.1.3 and start sert service again, everything is ok.

Anybody run into this?

thanks.

{ [-]
app_tag: PANA-L7-PEN : ххххххххх
bytes_in: 0
bytes_out: 0
dest_ip: x.x.x.x
dest_port: 55438
endtime: 2025-05-28T15:01:26Z
event_name: netFlowData
exporter_ip: x.x.x.x
exporter_time: 2025-May-28 15:01:26
exporter_uptime: 3148584010
flow_end_reason: 3
flow_end_rel: 0
flow_start_rel: 0
fwd_status: 64
input_snmpidx: 168
netflow_elements: [ [+]
]
netflow_version: 9
observation_domain_id: 1
output_snmpidx: 127
packets_in: 0
packets_out: 0
protoid: 6
selector_id: 0
seqnumber: 2278842767
src_ip: x.x.x.x
src_port: 9997
timestamp: 2025-05-28T15:01:26Z
tos: 0
}

splsophi

I am having the exact same problem. Did you manage to find a solution to this?

Also how did you downgrade to the old ISF streamfwd version?

Streamfwd after upgrade to 8.1.5 doesn't parse netflow fields (bytes_in, bytes_out, packets_in, packets_out)

troubleshooting

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

Join the Conversation

Streamfwd after upgrade to 8.1.5 doesn't parse netflow fields (bytes_in, bytes_out, packets_in, packets_out)

troubleshooting

Splunk Observability for AI

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!