hi, i'm not entirely sure what i did in the end. i think i fixed the file. however once i was getting the appflow data it became apparent it wasn't going to provide me with what i wanted. so instead i created a simple addon that runs rest commands against ADM using powershell. that gives us the network stats that we were looking for
... View more
hi, i've been trying for a long time now to get netscaler ipfix/netflow data properly ingested into a Nozo9110test splunk instance. I have the stream app and forwarder etc looking like they are working. all the data comes in as sourcetype stream:netflow. however i need this to be sourcetype citrix:netscaler:ipfix. so i have added props and transforms to achieve that based on the ip address the data is coming from. now this has worked and the sourcetype has changed as you can see: however, i expected the data to then be processed and the fields extracted from the netscalersyslogmessage field. in the netscaler TA there are entries to transform sourcetype on the detection of netscalerSyslogMessage but none of that seems to be happening. i'm sure i'm just missing something obvious but i'd really appreciate some help nailing this down. here's what i've done to change the sourcetype: props: [source::stream:netflow] TRANSFORMS-changesourcetype = set_netscaler transforms: [set_netscaler] FORMAT = sourcetype::citrix:netscaler:ipfix DEST_KEY = MetaData:Sourcetype REGEX= exporter_ip":"172.31.113.8
... View more
Hi, i'm pulling my hair out trying to get ipfix/appflow data flowing into splunk from netscalers.
i can see the data coming in but it looks like it's failing to get decoded:
errors such as this in streamfwd.log:
2021-04-05 12:52:01 WARN  (NetflowDecoder.cpp:1275) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 264 received for observation domain id 0 from device 172.31.113.8 . Dropping flow data set of size 1372
so looking in the splunk_app_stream.log i see these errors after adding the citrix netflow definitions:
2021-04-05 12:41:48,271 ERROR stream:569 - Invalid Stream definition for stream with id netflow -- Validation Error None is not of type 'string'
so it seems to me that there is some kind of problem between the definitions in the netflow file and possibly the citrix.xml vocabulary file but i can't figure out what. if i could change the code so that when the error was thrown it would tell me what element is causing the problem that would be very useful but as it stands i'm in the dark.
has anyone got this working? or indeed know how to troubleshoot this?
apps installed are:
... View more