Deployment Architecture

Netscaler AppFlow Independent Forwarder



I am attempting to get some analytics from the Netscaler into Splunk via an Independent Forwarder using AppFlow policies on the Netscaler.

I have followed this document to install and configure the Independent Forwarder:

I then followed this one to setup the above Independent Forwarder so it could receive the IPFIX data from the Netscaler AppFlow policy:

When I applied the Netscaler AppFlow policy to a virtual server data was not coming through. I tail -f the streamfwd.log and it was indicating that it did not have have the required templates to decode the netflow. I amended the template refresh interval on the Netscaler to 60 seconds and sure enough, not too long after that, the data was making its way into the specified index.

When I search the index where the data is going to (index="netscaler"), it seems the Netflow elements are not being decoded. I have basic information such as source ip and destination ip, but all other data, I suspect, is locked away under the netflow_elements: field, which contains no human readable data.
This document says to set the source type to citrix:netscaler:ipfix, and i did on the httpinput inputs.conf, but this appears to have no effect, as the source on the aforementioned events is simply stream:netflow.

Any assistance would be greatly appreciated.


Labels (1)
0 Karma



Another alternative to ingest Netscaler AppFlow (IPFIX) into Splunk is with our product - NetFlow Optimizer (We are Splunk Technology Partner). You can download it and get 60 day free license by visiting

Please contact us directly at if you have any questions or need help.

0 Karma
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...