Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with NetFlow v9 Templates Not Received by Splunk Stream – Flows Being Dropped

kn450
Explorer
‎06-20-2025 11:20 PM

Hi Splunk Community,

I'm currently integrating Flowmon ndr as a NetFlow data exporter to Splunk Stream, but I’m encountering a persistent issue where Splunk receives the flow data, yet it’s not decoded properly, and flow sets are being dropped due to missing templates.

Here’s the warning from the Splunk log:

```
2025-06-21 08:34:49 WARN [139703701448448] (NetflowManager/NetflowDecoder.cpp:1282) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 258 received for observation domain id 13000 from device 10.x.x.x. Dropping flow data set of size 328
```

Setup details:

Exporter: Flowmon
Collector: Splunk Stream
 Protocol: NetFlow v9 (also tested with IPFIX)
Transport: UDP
 Template Resend Configuration: Every 4096 packets or  600 seconds

Despite verifying these settings on Flowmon, Splunk continues to report that the template ID (in this case, 258) was never received, causing all related flows to be dropped.

My questions:

1. Has anyone successfully integrated Flowmon with Splunk Stream using NetFlow v9?
2. Is there a known issue with Splunk Stream not handling templates properly from certain exporters?
3. Are there any recommended Splunk Stream configuration tweaks for handling late or infrequent templates?

Any insights, experiences, or troubleshooting tips would be greatly appreciated.

Thanks in advance!

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎06-20-2025 11:27 PM

Hi @kn450 

Splunk Stream requires NetFlow v9/IPFIX templates to be received before it can decode flow records; if templates arrive infrequently or are missed, flows are dropped.

I'm not aware of any specific known issues around this, but I certainly think it is worth configuring Flowmon to send templates much more frequently (ideally every 20–30 seconds, not just every 600 seconds or 4096 packets) and see if this alleviate the issue.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

kn450
Explorer
‎06-20-2025 11:53 PM

I changed the time and the pack size, but the problem still exists.

0 Karma
Reply

uthornander_spl
Splunk Employee
Splunk Employee
‎07-11-2025 07:51 AM

There currently is an issue with NF 9 and STREAM 8.1.5.
I suggest downgrading until there's a newer release.

UT
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...