connection_host = dns

abdulvehhaba · ‎08-15-2016

Hi

I am using Splunk addon for Netscaler and Citrix Netscaler with Appflow,

My Splunk addon for Netscaler local input.conf is below:

I am listening 8514 port via tcpdump, there is traffic but Splunk doesn't index anything

[udp://8514]

connection_host = dns

sourcetype = ns_log
index = netscaler
disabled = 0
connection_host = ip

'# A separate IPFIX addon is needed in order for the following stanza to work. http://apps.splunk.com/app/1801/

[ipfix://NetScaler_AppFlow]

sourcetype = appflow

index = netscaler

address = 0.0.0.0

port = 4739

buffer = 1048576

disabled = 0

[monitor:///opt/filteredCitrixNSLogs.log]
disabled = 1
sourcetype = ns_log
index = netscaler

hunters_splunk · ‎08-17-2016

Hi, I think you should set your source type to citrix:netscaler:syslog rather than ns_log. The CIM mapping and dashboard panels are dependent on this source type. If you have not done so, please download and deploy the latest release of Splunk Add-on for Citrix NetScaler: http://splunkbase.splunk.com/app/2770. Hope it helps. Thanks!

ddrillic · ‎08-15-2016

A good place to start is at I can't find my data!

abdulvehhaba · ‎08-16-2016

I downvoted this post because not solved problem

ddrillic · ‎08-17-2016

It's a place to start, man.

There is no indexed data

connection_host = dns

[ipfix://NetScaler_AppFlow]

sourcetype = appflow

index = netscaler

address = 0.0.0.0

port = 4739

buffer = 1048576

disabled = 0

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

There is no indexed data

connection_host = dns

[ipfix://NetScaler_AppFlow]

sourcetype = appflow

index = netscaler

address = 0.0.0.0

port = 4739

buffer = 1048576

disabled = 0

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR