Solved: Can you run the old IPFIX app with the new NetScal...

dfronck · ‎12-02-2014

We upgraded our NetScalers from v9 to v10 so I had to update the NetScaler app to v5. I installed the IPFix v5.0.1 app and it does not work as expected. There are a lot of issues like my host is the heavy forwarder instead of the NetScaler and the source is getting changed to "source = DataSource(address[0], address[1], observer_id)" which appears to be NS_IP:PORT:INSTANCE?

Any way, that's just inconvenient, the real problem is that the app crashes 2, 3, 4 times a day and I have to restart Splunk to get it working again. I have a case open with Splunk. The CRITICAL error that's getting thrown is "UnicodeDecodeError: 'utf8' codec can't decode byte 0x96 in position 967: invalid start byte"; it doesn't like something in our data.

The old v4.8 IPFIX app never had this issue so I was wondering if I could just roll back to that one.

jbennett_splunk · ‎12-03-2014

The data is structured differently, so I don't think it will work.

View solution in original post

jbennett_splunk · ‎12-03-2014

The data is structured differently, so I don't think it will work.

dfronck · ‎12-03-2014

The good news is that it generates the same error every time so I wrote a script that greps the ipfix logs for the error and restarts splunk whenever it occurs. All of our other logs go into syslog so we're only losing 3 minutes of NetScaler logs 3 or 4 times a day.

I assume I can fix the host in props for the NS app.

Can you run the old IPFIX app with the new NetScaler app?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!