We recently upgraded our netscalers from v10 to v11. Soon after our heavy forwarder running the Splunk_TA_IPFIX_UDP_NIX app started running very high memory. We were also dropping 95%+ appflow data. I started researching and upgraded our Splunk Netscaler app and TA to 5.x on the heavy forwarder. The Splunk_TA_ipfix was really the only component that needed to be upgraded, but I thought since I was upgrading one, I would do both.
I am now receiving appflow data again, but it appears that the format has changed. I no longer see fields such as "Address" which used to indicate which netscaler host the log referenced. I also no longer see a timestamp in the log. I do not know if this these log format changes are due to switching to a modular input for receiving appflow or not.
Any assistance with v11 appflow would be appreciated.
Thanks
... View more