Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need help receiving and parsing IPFIX data in Splunk using Splunk Stream

kn450
Explorer
‎06-25-2025 07:44 AM

Hello everyone,

I have a network monitoring system that exports data via IPFIX using Forwarding Targets.

I am trying to receive this data in Splunk using the Splunk Stream app. The add-on is installed and Stream is enabled, but I am facing the following issues:

  • Templates are not being received properly.

  • The data arrives, but it's unreadable or incomplete.

  • I need full flow data, including summaries or headers from Layer 7 (e.g., HTTP, DNS).

My question:
Has anyone successfully received and parsed IPFIX data in Splunk?

If so, could you share the steps or configurations you used (like streamfwd.conf, input settings, etc.)?

Any guidance would be greatly appreciated!

Thanks in advance!

Labels (5)
Labels
Tags (1)
0 Karma
Reply

tscroggins
Champion
‎06-29-2025 04:38 PM

Hi @kn450,

For a basic setup with either a standalone Splunk/Stream instance or separate Splunk and Stream instances, the steps at https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/UseStreamtoingestNetflowandIP... result in a working configuration.

In my test environment using a standalone instance on RHEL, I made only the following changes to $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/streamfwd.conf to enable both capture and NetFlow/IPFIX:

[streamfwd]
streamfwdcapture.0.interfaceRegex = ens.+
netflowReceiver.0.port = 9996
netflowReceiver.0.decoder = netflow

I then enabled the netflow metadata stream in the Splunk Stream app.

Using SolarWinds NetFlow Generator <https://www.solarwinds.com/free-tools/flow-tool-bundle> (not an endorsement, but it's free), I sent sample IPFIX data to the standalone instance, which Stream successfully decoded:

{"endtime":"2025-06-29T23:20:12Z","timestamp":"2025-06-29T23:20:12Z","bytes_in":0,"dest_ip":"192.168.1.25","dest_port":443,"dest_sysnum":0,"event_name":"netFlowData","exporter_ip":"192.168.1.158","exporter_time":"2025-Jun-29 23:20:12","flow_end_rel":0,"flow_start_rel":0,"input_snmpidx":8,"netflow_version":10,"nexthop_addr":"1.1.1.2","observation_domain_id":0,"output_snmpidx":5,"packets_in":0,"protoid":6,"seqnumber":23000,"src_ip":"192.168.1.132","src_port":15449,"src_sysnum":0,"tcp_flags":0,"tos":0}

Custom NetFlow parsing is described at https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/AutoinputNetflow.

Can you confirm the default configuration works? If it does, we can dig into any customizations you need. If it doesn't, confirm your Stream instance is receiving correctly formatted IPFIX packets using tcpdump or another local capture tool.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...