All Apps and Add-ons

How do I run the Add-on for IPFIX to gather appflow data as a linux daemon?

joelyon
Explorer

In the README that comes with the Splunk_TA_ipfix, there is this line:

"This add-on captures binary data sent over UDP, decodes it and provides the index-time and search-time extractions for all IPFIX data sources and templates."

"This add-on can parse Cisco Netflow v9+, Citrix Appflow v1+ and other IPFIX streams sent over UDP."

"It can be configured to run from splunkd and stream data directly to Splunk, or to run as a linux daemon streaming data to disk (which can be monitored by Splunk)."

That last part is what I want to do... capture as a linux daemon and ingest by using a Splunk monitor stanza in an inputs.conf on a UF....

No where else in the massive (8 pages) TA documentation does it provide any further information.

,

jbennett_splunk
Splunk Employee
Splunk Employee

If anyone had noticed it in the ReadMe, it probably would have been removed from there, as well 😉

At one time in that code's past, there was explicit support for running it separately as a daemon, but I'm pretty sure it "not supported" to run it that way (and I'm not sure it will work anyway, because it's been re-written as a "Modular Input" and expects it's parameters to be passed in that way).

It does have an undocumented --input parameter which can be used to pass the path to an xml file with the configuration in it (that is: modular inputs expect their configuration to be streamed to their stdin as an XML document, but this one can accept the document as a path argument).

There's also a logging.conf.sample file which should show how to log the output to a file.

I'll have a go at documenting how and see if I can get it put in the online documentation, but I wanted to post this much now.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...