All Apps and Add-ons

Why am I experiencing these problems with splunk app for netscaler appflow?

danielwalford
Engager

Hi, i'm pulling my hair out trying to get ipfix/appflow data flowing into splunk from netscalers.

i can see the data coming in but it looks like it's failing to get decoded:

errors such as this in streamfwd.log: 

2021-04-05 12:52:01 WARN [3528] (NetflowDecoder.cpp:1275) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 264 received for observation domain id 0 from device 172.31.113.8 . Dropping flow data set of size 1372

so looking in the splunk_app_stream.log i see these errors after adding the citrix netflow definitions:

2021-04-05 12:41:48,271 ERROR stream:569 - Invalid Stream definition for stream with id netflow -- Validation Error None is not of type 'string'

 

so it seems to me that there is some kind of problem between the definitions in the netflow file and possibly the citrix.xml vocabulary file but i can't figure out what. if i could change the code so that when the error was thrown it would tell me what element is causing the problem that would be very useful but as it stands i'm in the dark.

has anyone got this working? or indeed know how to troubleshoot this?

apps installed are:

splunk-add-on-for-stream-wire-data_730

splunk-add-on-for-stream-forwarders_730

splunk-app-for-stream_730

splunk-add-on-for-citrix-netscaler_800

 

Labels (2)
Tags (1)
0 Karma

jm9376
Engager

Figured out the issue with the Netscaler TA causing these errors. There are three in the netflow file that are breaking things:

 

{
"aggType": "value",
"desc": null,
"enabled": true,
"name": "netscalerLicenseType",
"term": "citrix.netscalerLicenseType"
},
{
"aggType": "value",
"desc": null,
"enabled": true,
"name": "netscalerMaxLicenseCount",
"term": "citrix.netscalerMaxLicenseCount"
},
{
"aggType": "value",
"desc": null,
"enabled": true,
"name": "netscalerCurrentLicenseConsumed",
"term": "citrix.netscalerCurrentLicenseConsumed"
},

 

Stream does not like the fact that desc values are null and not properly wrapped in quotes. Since desc is kind of a useless field, I simply wrapped the word null in quotes and BOOM. Everything started up fine. 

Spranta
Splunk Employee
Splunk Employee

Awesome!

0 Karma

danielwalford
Engager

hi, i'm not entirely sure what i did in the end. i think i fixed the file. however once i was getting the appflow data it became apparent it wasn't going to provide me with what i wanted. so instead i created a simple addon that runs rest commands against ADM using powershell. that gives us the network stats that we were looking for

jbrocks
Communicator

Oh okay, what information were you looking for and do you have the edited xml file? 🙂 I am looking for NAT information, but we are also having some problems to configure Netscaler to send especially those data

0 Karma

jbrocks
Communicator

I am having the same problem - is there any solution to this? I just check the version tag in the citrix.xml which is not matching the newer Splunk versions, I edited it to my version - just to test, but still having the same issues

0 Karma

tprokop
New Member

I'm having the same problem a few months later. Did you end up finding a solution? @danielwalford 

0 Karma

Spranta
Splunk Employee
Splunk Employee

I'm getting the same error
Error saving stream: Invalid Stream definition for stream with id netflow -- Validation Error None is not of type 'string', Invalid Stream definition for stream with id netflow -- Validation Error None is not of type 'string', Invalid Stream definition for stream with id netflow -- Validation Error None is not of type 'string'

No idea which of the 277 entries in the vocabularies is causing the problems. Really annoying...

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...