Hi.
thanks a lot for this in-depth explanation. I'm also facing the same issue "Citrix Netscaler - Appflow - Template not known (yet)" for several days now. It seems that the template I'm supposed to receive from the Netscaler unit onto My splunk server does not come in or is not properly function.
such a "template" is supposed to be send every 5 min, based on my netscaler unit:
> show appflow param
AppFlow parameters
IPFIX template refresh interval: 600 seconds
Appname refresh interval: 600 seconds
IPFIX flow record export interval: 600 seconds
IPFIX UDP Path MTU: 1472 bytes
HTTP URL logging: ENABLED
AAA username logging: ENABLED
HTTP cookie logging: ENABLED
HTTP referer logging: ENABLED
HTTP method logging: ENABLED
HTTP host logging: ENABLED
HTTP user-agent logging: ENABLED
HTTP Content-Type header logging: ENABLED
HTTP Authorization header logging: ENABLED
HTTP Via header logging: ENABLED
HTTP X-Forwarded-For header logging: ENABLED
HTTP Location header logging: ENABLED
HTTP Setcookie header logging: ENABLED
HTTP Setcookie2 header logging: ENABLED
HTTP Domain Name logging: ENABLED
Log only client-side traffic: YES
Connection Chaining: ENABLED
Skip Cache Redirection HTTP Transaction: ENABLED
Done
Looking at a few stats from my Netscaler units, I can verify that I'm successfully sending appflow data to splunk (setting has been done according to this set up video) and I can see those in ma splunk search requests ! :
> show appflow policy
1) Name: AppFlow_Policy_for_Splunk
Hits: 11191
Undef Hits: 0
Active: Yes
Done
> show appflow action
1) Name: AppFlow_Action_for_Splunk
Collectors: AppFlow_Collector_for_Splunk
Client-side Measurements: ENABLED
Hits: 11191
Action Reference Count: 1
Done
> show appflow collector
1) Name: AppFlow_Collector_for_Splunk
IPv4 address: xx.xx.xx.xx
UDP port: 4739
Netprofile:
Done
Is there any other way to check such a famous template reception ? Force it ??
Isn't such a kind of template, a file with iespec extension ? such a files are included in Splunk_TA_ipfix & SplunkforCitrixNetScaler apps package structure:
Splunk_TA_ipfix/default/information-elements/netscaler_10.1.iespec
SplunkforCitrixNetScaler/default/information-elements/netscaler_10.1.iespec
Couldn't we use those as a starter ?? and how ?
regards
Franck
... View more