Getting Data In

Streamfwd is not forwarding netflow v9 data to SH

New Member

Hi All,

  1. Installation of Splunk Stream App on the Search Head was done.
  2. Using curl, the streamfwd was installed on Linux machine.
  3. Later HEC was enabled and the token was updated in indexers through cluster master.

The environment has 1 Search head, 2 Indexers, 1 Cluster Master, and 1 Deployment server.
All servers are windows servers. Only the streamfwd machine is a Linux machine.
Netflow data is being received on port 9999.

We have also configured the inputs.conf and streamfwd.conf based on instructions on Splunk docs.
But we do not see any data ingestion.
We confirmed data being received on port 9999 by tcpdump commands.

Thank you.

0 Karma


Did you configure the Streams after configuring the streamfwd? In the Splunk Stream App under "Configuration-->Configure Streams" you define what you want streamfwd to collect. There you create/enable your Streams to collect that define which fields you'd like extracted from that data. Then under "Configuration-->Distributed Forwarder Management" you define your groups to target which forwarders get what Streams.

0 Karma

New Member

Thanks for the reply.

  1. Did you configure the Streams after configuring the streamfwd?
    Yes, we have configured the streams and enabled "netflow" stream.
    By default we have selected all the 154 fileds in "netflow" stream.

  2. "Configuration-->Distributed Forwarder Management" - define your groups to target
    Unable to find the 'streamfwd' here, under "Matched Forwarders".
    (Initially, we added to 'default group', but later created a new group as well.)

Could there be any issues with the 'streamfwd' installation with curl?
any manual configuration updates are required in inputs.conf and streamfwd.conf?

Thanks a lot.

0 Karma


Did you configure HEC on your indexers receiving the data? Docs for it here: You also need to have the inputs.conf on your indexers specifying how the data is coming in since it isn't from traditional Splunk2Splunk. The standalone streamfwd sends data via HEC so you need to configure a token, and add that token to your indexers and your forwarder. Your config on your inputs.conf on your indexer might look something like this:

disabled = 0
index = your_default_index
token = your_hec_token
indexes = _internal, main, other_indexes_that_this_token_can_send_to 

Relevant inputs.conf docs:

0 Karma


Does the stream add-on supports sending data to Indexers using S2S communication on port 9997?

The docs only seem to emphasize on showing integration using HEC

0 Karma
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...