Hi,
I'm using the latest Splunk version , and netscaler 10.1.
I have installed on the index head the Splunk_TA_Citrix-Netscaler & IPFIX, and on search head I have installed the software and the TA & IPFIX.
I can see over the Splunk that data is getting -
12/16/14 11:54:21.000 AM Dec 16
11:54:21 10.40.2.224
16/12/2014:11:47:21 GMT 0-PPE-0 : UI
CMD_EXECUTED 1489 0 : User NDS_support
- Remote_ip 10.56.182.0 - Command "show ns hardware" - Status "Success"
• host = 10.40.2.224 • source =
udp:514 • sourcetype = syslog
when I'm getting to the splunk for Netscaler software it doesn't recognize the Netscaler.
I've modified over Splunk_TA_Citrix-NetScaler/default/inputs.conf to be -
[udp://514]
#connection_host = dns
sourcetype = ns_log
index = netscaler
disabled = false
# A separate IPFIX addon is needed in order for the following stanza to work. http://apps.splunk.com/app/1801/
[ipfix://NetScaler_AppFlow]
sourcetype = appflow
index = netscaler
address = 0.0.0.0
port = 4739
buffer = 1048576
disabled = true
Looks like your ipfix input is disabled.
I've tried to change it to false - nothing has changed 😞