Splunk for Citrix doesn't work :-(

sbeamro · ‎12-25-2014

Hi,
I'm using the latest Splunk version , and netscaler 10.1.
I have installed on the index head the Splunk_TA_Citrix-Netscaler & IPFIX, and on search head I have installed the software and the TA & IPFIX.

I can see over the Splunk that data is getting -

12/16/14 11:54:21.000 AM Dec 16
11:54:21 10.40.2.224
16/12/2014:11:47:21 GMT 0-PPE-0 : UI
CMD_EXECUTED 1489 0 : User NDS_support
- Remote_ip 10.56.182.0 - Command "show ns hardware" - Status "Success"
• host = 10.40.2.224 • source =
udp:514 • sourcetype = syslog

when I'm getting to the splunk for Netscaler software it doesn't recognize the Netscaler.

I've modified over Splunk_TA_Citrix-NetScaler/default/inputs.conf to be -

[udp://514]
#connection_host = dns
sourcetype = ns_log
index = netscaler
disabled = false

# A separate IPFIX addon is needed in order for the following stanza to work.  http://apps.splunk.com/app/1801/
[ipfix://NetScaler_AppFlow]
sourcetype = appflow
index = netscaler
address = 0.0.0.0
port = 4739
buffer = 1048576
disabled = true

jconger · ‎01-05-2015

Looks like your ipfix input is disabled.

sbeamro · ‎01-06-2015

I've tried to change it to false - nothing has changed 😞

Splunk for Citrix doesn't work :-(

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor