All Apps and Add-ons

Installation of Splunk Add-on for Netflow didn't work, what can I do to troubleshoot?

manus
Communicator

I downloaded and followed the instruction of the installation of Splunk Add-On for Netflow.
https://apps.splunk.com/app/1658/
I followed the steps, but something didn't work.
No data is getting indexed to index=netflow.
In the script configure.sh, I configured port 2055 as UDP listener.
After I restarted Splunk,
netstat -ano|grep 2055
doesn't return anything, so it means Splunk doesn't listen on this port at all.
I didn't find any useful message in:
index=_internal netflow
So I really have no clue how to continue on this installation.
Any help would be greatly appreciated.

1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

let's start with the platform -- are you doing this on a supported platform?

uname -s
uname -p
grep GenuineIntel /proc/cpuinfo
grep AuthenticAMD  /proc/cpuinfo

Next, I wonder whether configure.sh wrote the $SPLUNK_HOME/etc/apps/TA-flowfix/bin/flowfix.sh file correctly -- is it there?

Then, did it write $SPLUNK_HOME/etc/apps/TA-flowfix/default/inputs.conf and $SPLUNK_HOME/etc/apps/TA-flowfix/default/indexes.conf ?

If it made it that far, what do those files have in them?

View solution in original post

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

let's start with the platform -- are you doing this on a supported platform?

uname -s
uname -p
grep GenuineIntel /proc/cpuinfo
grep AuthenticAMD  /proc/cpuinfo

Next, I wonder whether configure.sh wrote the $SPLUNK_HOME/etc/apps/TA-flowfix/bin/flowfix.sh file correctly -- is it there?

Then, did it write $SPLUNK_HOME/etc/apps/TA-flowfix/default/inputs.conf and $SPLUNK_HOME/etc/apps/TA-flowfix/default/indexes.conf ?

If it made it that far, what do those files have in them?

0 Karma

manus
Communicator

Hello, thanks for replying. Somebody else took over the installation, and managed to make it work. I don't know what he did. I'll comment when I find out (he's out currently).

0 Karma

aariya01
New Member

Hi,
I am facing the similar issue after integrating Netflow to splunk I am not getting data on splunk,
After configuring the configure.sh script, I got both the files at mentioned location $SPLUNK_HOME/etc/apps/TA-flowfix/default/inputs.conf and $SPLUNK_HOME/etc/apps/TA-flowfix/default/indexes.conf ,

Could anyone please explain what steps shall I take next to troubleshoot this issue.

Thanks in advance!!!

0 Karma

dstamler_tbte
Explorer

So I've done all of this and I still have the same issue. I followed what was mentioned in another thread about creating the directories for nfdump-ascii and nfdump-binary as well (they were missing inside $SPLUNK_HOME/etc/apps/Splunk_TA_flowfix/. Still nothing. Any other ideas? I'm curious how your system started working.

UPDATE:
Manually running flowfix.sh gives "Receive socket error: could not open the requested socket". I'm running as non-root. This could be part of the issue.

UPDATE 2:
I now have it running non-root. I changed the inbound port to 9996 and opened the firewall. I'm going to re-test next week with port 2055 again since that shouldn't have been a problem as I had done multiple reboots and verified with ss -lpu that port 2055 wasn't used. I will say this though— it's CentOS 7 with the new firewall-cmd instead of iptables. It's entirely possible that I overlooked the --permanent flag when I created the firewall rule for port 2055 the first time and that it didn't survive the reboot. That would explain the error.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

I expect that is almost certainly the issue.

edit: I verified that this is certainly the issue. Root permissions are required.

0 Karma

dstamler_tbte
Explorer

I have it running non-root (albeit on a different port) now.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

I asked the developer if it would work as a non-root user. Did you go to a port above 1024?

0 Karma

dstamler_tbte
Explorer

For sure! The standard port for netflow is UDP 2055 anyway. You can't run anything non-root under port 1024 on linux without using POSIX capabilities, authbind (or forwarding the lower port to a higher-one).

0 Karma

mbenwell
Communicator

I installed it 2 weeks ago, and also had issues getting it started. It should be fine on udp 2055.

Not sure what happened but for some reason the following directories were not being created:
./Splunk_TA_flowfix/nfdump-ascii
./Splunk_TA_flowfix/nfdump-binary

After creating them manually it worked fine.

Also worth looking at, the flowfix.sh script has hard coded paths. The configure.sh script assumes/expects it is being run from the directory the script is in. Also be aware of the paths in flowfix.sh if you ever move the TA to another host.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...