Environment - Splunk Enterprise 10.0.0 (Ubuntu 24.04), single VM (indexer+SH+Stream) - splunk_app_stream 8.1.5, Splunk_TA_stream 8.1.5 - Exporter: NetQuest SNS, IPFIX on UDP/2055, templates 258/259/550 - streamfwd.conf: [streamfwd] netflowReceiver.0.decoder = netflow netflowReceiver.0.port = 2055 - inputs.conf: [streamfwd://streamfwd] splunk_stream_app_location = https://localhost:8000/en-us/custom/splunk_app_stream/ disabled = 0 Symptoms - streamfwd.log: “Unable to decode flow set data. No template with id 258/550 received …” - splunkd.log has Web/401/CSRF noise, but data path is working (streamfwd bound on 2055, tcpdump shows traffic). - Wireshark confirms templates are present, but shows lines like: “Template Frame: NNN (received after this frame)” when inspecting Data Sets with Set ID 258/550. Question - Does Streamfwd strictly require that Template Sets for a given observationDomainId be received *before* any Data Sets? If so, is there a setting to buffer or accept out-of-order templates? - Any known best practices for exporters that may send Data Sets immediately on start, before a template refresh? - If the exporter uses enterprise/private fields in those templates, do we need a custom mapping for Stream to parse them? What I’ve tried - Confirmed the doc’d minimal config and enabled the “netflow” metadata stream. - Verified with tcpdump/pcap that the SNS sends templates every minute and option templates (ID 550) every 30 seconds. - Still seeing drops whenever a Data Set arrives before the matching template is cached. Any guidance (config knobs in Stream, or exporter-side recommendations) would be appreciated. ... View more