Dear
I am using network monitoring sensor (linux machine). I have deployed universal forwarder on this sensor. What i am looking for is to ingest IPFIX data directly from incoming interface on this sensor (eth0) or from a directory (file) and send this data to the Indexer.
Looking to a Splink Stream documentation I cant find proper way to solve this problem.
Looking forward to reading from you soon
Have you gone through the Splunk Stream Supported protocols? https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/ProtocolDetection You'll notice, that IPFIX is not listed here.
Now that being said, you can use Netflow to aggregate IPFIX flows into stream. This is documented here : https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/UseStreamtoingestNetflowandIPF....
Another option is that you can also ingest pcap files that have IPFIX in them also : https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/UseStreamtoparsePCAPfiles
Most of your stream questions regarding configuration, deployment, and protocol support can be found here : https://docs.splunk.com/Documentation/StreamApp/7.2.0/DeployStreamApp/AboutSplunkAppforStream