All Apps and Add-ons

problems with splunk app for netscaler appflow

danielwalford
Observer

Hi, i'm pulling my hair out trying to get ipfix/appflow data flowing into splunk from netscalers.

i can see the data coming in but it looks like it's failing to get decoded:

errors such as this in streamfwd.log: 

2021-04-05 12:52:01 WARN [3528] (NetflowDecoder.cpp:1275) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 264 received for observation domain id 0 from device 172.31.113.8 . Dropping flow data set of size 1372

so looking in the splunk_app_stream.log i see these errors after adding the citrix netflow definitions:

2021-04-05 12:41:48,271 ERROR stream:569 - Invalid Stream definition for stream with id netflow -- Validation Error None is not of type 'string'

 

so it seems to me that there is some kind of problem between the definitions in the netflow file and possibly the citrix.xml vocabulary file but i can't figure out what. if i could change the code so that when the error was thrown it would tell me what element is causing the problem that would be very useful but as it stands i'm in the dark.

has anyone got this working? or indeed know how to troubleshoot this?

apps installed are:

splunk-add-on-for-stream-wire-data_730

splunk-add-on-for-stream-forwarders_730

splunk-app-for-stream_730

splunk-add-on-for-citrix-netscaler_800

 

Labels (2)
Tags (1)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!