How to configure the Splunk Add-on for NetFlow to ...

edwardrose · ‎07-14-2015

Hello All,

I was curious as to how to get the Splunk NetFlow Add-On to report the specific host of the device that is forwarding the data instead of the heavy forwarder which the add-on is running on.

   7/14/15     10:37:37.201 AM      2015-07-14 10:37:37,2015-07-14  10:37:41,3.904,134.86.135.65,147.34.89.129,161,60969,UDP,.A....,0,0,2,232,0,0,2,8,0,0,32,17,0,0,139.181.233.206,0.0.0.0,0,0,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,    0.000,    0.000,    0.000,139.181.233.216,0/0,38,2015-07-14 10:23:16.278
    host = splk-gns-fwd-01.wv.mentorg.com source = /opt/splunk/etc/apps/Splunk_TA_flowfix/nfdump-ascii/nfdump-csv_20150714102355.log sourcetype = netflow

All entries have the host as splk-gns-fwd-01, just want to make sure we get the host filled with the originating host not the forwarder.

thanks
ed

jcoates_splunk · ‎07-25-2015

you should be able to use local/props.conf to override. http://docs.splunk.com/Documentation/Splunk/6.2.4/admin/Propsconf

How to configure the Splunk Add-on for NetFlow to report the hostname of the device forwarding data, not the heavy forwarder the add-on is running on?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...