Environment
- Splunk Enterprise 10.0.0 (Ubuntu 24.04), single VM (indexer+SH+Stream)
- splunk_app_stream 8.1.5, Splunk_TA_stream 8.1.5
- Exporter: NetQuest SNS, IPFIX on UDP/2055, templates 258/259/550
- streamfwd.conf:
[streamfwd]
netflowReceiver.0.decoder = netflow
netflowReceiver.0.port = 2055
- inputs.conf:
[streamfwd://streamfwd]
splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/
disabled = 0

Symptoms
- streamfwd.log: “Unable to decode flow set data. No template with id 258/550 received …”
- splunkd.log has Web/401/CSRF noise, but data path is working (streamfwd bound on 2055, tcpdump shows traffic).
- Wireshark confirms templates are present, but shows lines like:
“Template Frame: NNN (received after this frame)”
when inspecting Data Sets with Set ID 258/550.

Question
- Does Streamfwd strictly require that Template Sets for a given observationDomainId be received *before* any Data Sets? If so, is there a setting to buffer or accept out-of-order templates?
- Any known best practices for exporters that may send Data Sets immediately on start, before a template refresh?
- If the exporter uses enterprise/private fields in those templates, do we need a custom mapping for Stream to parse them?

What I’ve tried
- Confirmed the doc’d minimal config and enabled the “netflow” metadata stream.
- Verified with tcpdump/pcap that the SNS sends templates every minute and option templates (ID 550) every 30 seconds.
- Still seeing drops whenever a Data Set arrives before the matching template is cached.

Any guidance (config knobs in Stream, or exporter-side recommendations) would be appreciated.