All Apps and Add-ons

Help with Configuration of Splunk for Citrix NetScaler App with AppFlow

edwardrose
Contributor

Hello All

I have read this thread but it still does not make any sense to me. My environment was running the previous version of Splunk for Citirix NetScaler app and I upgraded to the latest. I removed all the old app and setup the deployment client to deploy SplunkforCitrixNetScaler, Splunk_TA_Citrix-NetScaler and Splunk_TA_ipfix on to my heavy forwarders. I also installed the same three apps on my search head. The issue is I try to go into Settings -> Data Inputs -> IPFIX and make changes, but I get an error when I try to save a different configuration. I am confused as to what should be installed where as the documentation for SplunkforCitrixNetScaler app is really vague

Encountered the following error while trying to update: In handler 'ipfix': Parameter port: UDP port 4739 is not available.

It seems that the configuration comes predefined to use 8514 for NetScaler syslogs. We have a total of 6 NetScalers in our environment, 4 in the DMZ and 2 internal. Because of this we are using udp port 5514 for all DMZ NetScalers and 2514 for all internal NetScalers.

Also no matter what I do I cannot get the hostname to show up as the IP address or hostname of the netscaler, instead it shows up as the name of the heavy forwarders. We have been a few days with sporratic data coming in and need to get this resolved as soon as possible. Any and all help would be awesome.

Here is what I think I need to do, Please correct me if I am wrong.

  1. Install Splunk for Citrix NetScaler and Splunk TA IPFIX on search head
  2. Install Splunk_TA_Citrix-NetScaler and Splunk TA IPFIX on DMZ Heavy forwarder and Internal Heavy Forwarder
  3. Configure separate settings for both Heavy Forwarders DMZ using 5514 and Internal using 2514, both using 4739 for appflow
  4. Test and validate

Which is what I did but does not seem to be working.

Thanks
ed

0 Karma
1 Solution

edwardrose
Contributor

I figured out that you must disable the IPFIX input prior to making changes. But should the sourcetype be automatic or should it be appflow. As automatic defaults it back to sourcetype=ipfix.

View solution in original post

0 Karma

edwardrose
Contributor

I figured out that you must disable the IPFIX input prior to making changes. But should the sourcetype be automatic or should it be appflow. As automatic defaults it back to sourcetype=ipfix.

0 Karma

dfronck
Communicator

The Citrix TA default inputs.conf should set the sourcetype to appflow.

IPFix sets the source and host to Host:Port:Observer. I use a transform to set host to the IP address.
[netscaler_appflow-change-host2source]
SOURCE_KEY=MetaData:Source
REGEX=source::(\d+.\d+.\d+.\d+):\d+:\d+
FORMAT=host::$1
DEST_KEY=MetaData:Host

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...