Hello All,

We were using Splunk_TA_ipfix to collect the NetScaler Appflow logs and send them to our index cluster. With the release of Splunk_TA_citrix_netscaler 7.0.1, it states to collect Appflow logs using Splunk Stream. I am not sure what I am doing wrong. Here is my distributed environment:

2 Non-Clustered ADHOC SH
1 Non-Clustered ES SH
13 Node Index cluster

I installed the NetScaler TA on all SHs and all indexers
I installed Stream one of my ADHOC SH that is not busy
I installed Stream TA on a heavy forwarder that was configured to receive data Appflow data when ipfix TA was installed.

Splunk_TA_stream configuration files:

streamforward.conf:

[streamfwd]
netflowReceiver.0.ip = 0.0.0.0
netflowReceiver.0.port = 4739
netflowReceiver.0.protocol = udp
netflowReceiver.0.decoder = netflow

inputs.conf:

[streamfwd://streamfwd]
splunk_stream_app_location = https://adhoc_sh_1:8000/en-us/custom/splunk_app_stream/
stream_forwarder_id =
disabled = 0

I do not see any data being forwarded to the ad hoc SH nor do I see any data being sent to the indexers for the NetScaler appflow sourcetype. The instructions for collect IPFIX/APPFLOW are as about as clear as mud on a moonless night on a cloudy night in the middle of winter. I know I do not have the inputs setup properly and I am not sure what else I have wrong. Any help would be greatly appreciated.

Thanks,

Ed