Hi @kn450, For a basic setup with either a standalone Splunk/Stream instance or separate Splunk and Stream instances, the steps at https://docs.splunk.com/Documentation/StreamApp/latest/DeployStream...
See more...
Hi @kn450, For a basic setup with either a standalone Splunk/Stream instance or separate Splunk and Stream instances, the steps at https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/UseStreamtoingestNetflowandIPFIXdata result in a working configuration. In my test environment using a standalone instance on RHEL, I made only the following changes to $SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/streamfwd.conf to enable both capture and NetFlow/IPFIX: [streamfwd]
streamfwdcapture.0.interfaceRegex = ens.+
netflowReceiver.0.port = 9996
netflowReceiver.0.decoder = netflow I then enabled the netflow metadata stream in the Splunk Stream app. Using SolarWinds NetFlow Generator <https://www.solarwinds.com/free-tools/flow-tool-bundle> (not an endorsement, but it's free), I sent sample IPFIX data to the standalone instance, which Stream successfully decoded: {"endtime":"2025-06-29T23:20:12Z","timestamp":"2025-06-29T23:20:12Z","bytes_in":0,"dest_ip":"192.168.1.25","dest_port":443,"dest_sysnum":0,"event_name":"netFlowData","exporter_ip":"192.168.1.158","exporter_time":"2025-Jun-29 23:20:12","flow_end_rel":0,"flow_start_rel":0,"input_snmpidx":8,"netflow_version":10,"nexthop_addr":"1.1.1.2","observation_domain_id":0,"output_snmpidx":5,"packets_in":0,"protoid":6,"seqnumber":23000,"src_ip":"192.168.1.132","src_port":15449,"src_sysnum":0,"tcp_flags":0,"tos":0} Custom NetFlow parsing is described at https://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/AutoinputNetflow. Can you confirm the default configuration works? If it does, we can dig into any customizations you need. If it doesn't, confirm your Stream instance is receiving correctly formatted IPFIX packets using tcpdump or another local capture tool.