Re: netflow missing fields problem with flowIntegr...

yunusemreakbaba · ‎12-14-2012

Hi all,

I managed to retrieve netflow from my cisco firewall by using flowIntegrator and splunk. But the problem is : The netflow record that I get have missing fields like destination_addr. I copied the netflow data with key-value match that I retrieved below. Is there anyone have any idea about this issue? Any help is appreciated.

_sourcetype: flowintegrator

index: main

t_int: 30005

bytes: 0

host: 127.0.0.1

_cd: 1:63560

_serial: 0

fi_module: 50015

_si: ubuntu,main

date: Dec 13 11:49:23

splunk_server: ubuntu

linecount: 1

percent_of_total: 0

_indextime: 1355392163

denied_cnt: 1

username: na

created_cnt: 1

source: netflow

sourcetype: flowintegrator

_bkt: main~1~3984975D-B674-425B-B482-EA9629744985

_time: 2012-12-13T11:49:23.000+02:00

ipv4_src_addr: 31.13.72.7

_raw: Dec 13 11:49:23 ff:ff:00:01 fi_module=50015 ipv4_src_addr=31.13.72.7 username=na created_cnt=1 denied_cnt=1 bytes=0 percent_of_total=0 t_int=30005

dmiller2010 · ‎01-15-2013

The field for destination_addr is supported in another rule available in the latest beta for 2.0. You will need to register for it on our website: http://www.netflowlogic.com. If you have any additional questions or support requests, please see our support site at: https://netflowlogic.zendesk.com/home

netflow missing fields problem with flowIntegrator

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...