I am attempting to get some analytics from the Netscaler into Splunk via an Independent Forwarder using AppFlow policies on the Netscaler.
I have followed this document to install and configure the Independent Forwarder:
I then followed this one to setup the above Independent Forwarder so it could receive the IPFIX data from the Netscaler AppFlow policy:
When I applied the Netscaler AppFlow policy to a virtual server data was not coming through. I tail -f the streamfwd.log and it was indicating that it did not have have the required templates to decode the netflow. I amended the template refresh interval on the Netscaler to 60 seconds and sure enough, not too long after that, the data was making its way into the specified index.
When I search the index where the data is going to (index="netscaler"), it seems the Netflow elements are not being decoded. I have basic information such as source ip and destination ip, but all other data, I suspect, is locked away under the netflow_elements: field, which contains no human readable data.
This document says to set the source type to citrix:netscaler:ipfix, and i did on the httpinput inputs.conf, but this appears to have no effect, as the source on the aforementioned events is simply stream:netflow.
Any assistance would be greatly appreciated.