Hello everyone, I have a network monitoring system that exports data via IPFIX using Forwarding Targets. I am trying to receive this data in Splunk using the Splunk Stream app. The add-on is installed and Stream is enabled, but I am facing the following issues: Templates are not being received properly. The data arrives, but it's unreadable or incomplete. I need full flow data, including summaries or headers from Layer 7 (e.g., HTTP, DNS). My question: Has anyone successfully received and parsed IPFIX data in Splunk? If so, could you share the steps or configurations you used (like streamfwd.conf, input settings, etc.)? Any guidance would be greatly appreciated! Thanks in advance! ... View more

Hi Splunk Community, I'm currently integrating Flowmon ndr as a NetFlow data exporter to Splunk Stream, but I’m encountering a persistent issue where Splunk receives the flow data, yet it’s not decoded properly, and flow sets are being dropped due to missing templates. Here’s the warning from the Splunk log: ``` 2025-06-21 08:34:49 WARN [139703701448448] (NetflowManager/NetflowDecoder.cpp:1282) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 258 received for observation domain id 13000 from device 10.x.x.x. Dropping flow data set of size 328 ``` Setup details: Exporter: Flowmon Collector: Splunk Stream  Protocol: NetFlow v9 (also tested with IPFIX) Transport: UDP  Template Resend Configuration: Every 4096 packets or  600 seconds Despite verifying these settings on Flowmon, Splunk continues to report that the template ID (in this case, 258) was never received, causing all related flows to be dropped. My questions: 1. Has anyone successfully integrated Flowmon with Splunk Stream using NetFlow v9? 2. Is there a known issue with Splunk Stream not handling templates properly from certain exporters? 3. Are there any recommended Splunk Stream configuration tweaks for handling late or infrequent templates? Any insights, experiences, or troubleshooting tips would be greatly appreciated. Thanks in advance! ... View more

opt/caspida/bin/Caspida setuphadoop ...............................Failed to run sudo -u hdfs hdfs namenode -format >> /var/vcap/sys/log/caspida/caspida.out 2>&1 Fri Jun 2 17:06:11 +07 2023: [ERROR] Failed to run hadoop_setup [2]. Fix errors and re-run again. Error in running /opt/caspida/bin/Caspida setuphadoop on 192.168.126.16. Fix errors and re-run again. i execute the command /opt/caspida/bin/caspida setup but stopped here hadoopsetup can't run, i don't know the cause yet. someone please help me. I put some install logs here ... View more

Hi Splunk Community, I’m working on a use case where data is stored in Elasticsearch, and I’d like to use Splunk solely as an interface for visualizing and querying the data using SPL (Search Processing Language) — without ingesting or storing the data again in Splunk, to avoid duplication and unnecessary storage costs. My main questions are: Is there a way to connect Splunk directly to Elasticsearch as an external data source? Can Splunk query external data (like from Elasticsearch) using SPL, without indexing it? Are there any available add-ons, modular inputs, or scripted solutions that allow this type of integration? Is this approach officially supported by Splunk, or would it require a custom integration? I’m aware that tools like Logstash or Kafka can be used to bring data into Splunk, but that’s exactly what I’m trying to avoid — I don’t want to duplicate the data storage. If anyone has experience with a similar setup, or any recommendations, I’d greatly appreciate your input. Thanks in advance!   ... View more

Dear Splunk Community, I am currently working on a project focused on identifying the essential data that should be collected from endpoints into Splunk, with the goal of avoiding data duplication and ensuring efficiency in both performance and storage. Here’s what has been implemented so far: The Splunk_TA_windows add-on has been deployed. The inputs.conf file has been configured to include all available data. Sysmon has been installed on the endpoints. The Sysmon inputs.conf path has been added to be collected using the default configuration from the Splunk_TA_windows add-on. In addition, we are currently collecting data from firewalls and network switches. I’ve attached screenshots showing the volume of data collected from one endpoint over a 24-hour period. The data volume is quite large, especially in the following categories: WinRegistry Service Upon reviewing the data, I noticed that some information gathered from endpoints may be redundant or unnecessary, especially since we are already collecting valuable data from firewalls and switches. This has led me to consider whether we can reduce the amount of endpoint data being collected without compromising visibility. I would appreciate your input on the following: What are Splunk's best practices for collecting data from endpoints? What types of data are considered essential for security monitoring and analysis? Is relying solely on Sysmon generally sufficient in most security environments? Is there a recommended framework or guideline for collecting the minimum necessary data while maintaining effective monitoring? I appreciate any suggestions, experiences, or insights you can share. Looking forward to learning from your expertise. ... View more

Description: Hello, I am experiencing an issue with the "event_id" field when transferring notable events from Splunk Enterprise Security (ES) to Splunk SOAR. Details: When sending the event to SOAR using an Adaptive Response Action (Send to SOAR), the event is sent successfully, but the "event_id" field does not appear in the data received in SOAR. Any assistance or guidance to resolve this issue would be greatly appreciated. Thank you ... View more