Have IPFIX setup successfully with a Virtual Index on my Hadoop Cluster but it keeps erroring with the below message. This has been running over 4 hours. Can someone help me?
index=_internal source=splunkd.log (log_level=ERROR OR log_level=CRIT OR log_level=FATAL) _raw="03-27-2015 17:02:46.438 -0400 ERROR ExecProcessor - message from \"python /opt/hunk/etc/apps/Splunk_TA_ipfix/bin/ipfix.py\" WARNING:root:Have not implemented parsing for 'None' of length 8 (5951:319) required for template 284." source="/opt/hunk/var/log/splunk/splunkd.log"
Getting same error although we are seeing ipfix data. Is there any update on this? We are not using Hunk.
what version of IPFIX?
I will test it but is ipfix not a supported add-on for Hunk? How else are users supposed to get ipfix data into HDFS?
I changed my configuration to use the index ipfix that sends the data to the splunk DB. After some time, data began to be interpreted but in the server error log the reported error with template 284 still shows the same issue.
index=_internal source=splunkd.log (log_level=ERROR OR log_level=CRIT OR log_level=FATAL) _raw="03-31-2015 13:12:14.610 -0400 ERROR ExecProcessor - message from \"python /opt/hunk/etc/apps/Splunk_TA_ipfix/bin/ipfix.py\" WARNING:root:Have not implemented parsing for 'None' of length 8 (5951:319) required for template 284."
Any idea of how I can get this template imported\available for virtual indexes?
Do you mean to test with a native index?
Yeah, I doubt if it would work differently, but might as well limit the differences between supported config and real world.
I am running the below. Is there an update or patch that I am missing?
Splunk Version 6.2.1
Splunk Build 249325
Splunk Add-on for IPFIX
App Version 5.0.3
hey, nope, I was just making sure... we don't test IPFIX with Hunk, so it might be related to that, but I wanted to make sure it wasn't something that we already knew about. This looks like it could be a screwy template... we accept a template from the device to instruct us on parsing, and this might mean that it's not lining up with the data. If you can check with a Splunk Enterprise instance too and verify that it acts the same there, this would be worth a support ticket, some more detail, and a pcap if you can.