- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Need Assistance with Netscaler v11 Appflow
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Need Assistance with Netscaler v11 Appflow
We recently upgraded our netscalers from v10 to v11. Soon after our heavy forwarder running the Splunk_TA_IPFIX_UDP_NIX app started running very high memory. We were also dropping 95%+ appflow data. I started researching and upgraded our Splunk Netscaler app and TA to 5.x on the heavy forwarder. The Splunk_TA_ipfix was really the only component that needed to be upgraded, but I thought since I was upgrading one, I would do both.
I am now receiving appflow data again, but it appears that the format has changed. I no longer see fields such as "Address" which used to indicate which netscaler host the log referenced. I also no longer see a timestamp in the log. I do not know if this these log format changes are due to switching to a modular input for receiving appflow or not.
Any assistance with v11 appflow would be appreciated.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been researching and don't know if it is an update to the field names in the IPFIX logs from Netscaler v11 or the difference in the way our Splunk instance is receiving the IPFIX data. Here are some examples of the differences in the log formats:
Splunk_TA_ipfix format:
TimeStamp="2015-11-18T02:37:12"; Template="258"; Observer="0"; Address="10.36.72.60"; Port="36010"; observationPointId="1"; exportingProcessId="0"; flowId="431021945"; transactionId="147769152"; connectionId="431021945"; ipVersion="4"; protocolIdentifier="6"; sourceIPv4Address="x.x.x.x"; destinationIPv4Address="y.y.y.y"; sourceTransportPort="52566"; destinationTransportPort="80"; packetDeltaCount="1"; octetDeltaCount="692"; tcpControlBits="24"; flowFlags="67239936"; flowStartMicroseconds="1447835832.015953"; flowEndMicroseconds="1447835833.014935"; ingressInterface="2"; egressInterface="2147483651"; appNameAppID="10348"; appUnitNameAppId="0"; httpResponseForwardTimeToFB="0"; httpResponseForwardTimeToLB="0"; httpRequestUrl="/include/ethicsline/telephone3.png"; httpRequestCookie="cookie=monster"; httpRequestReferer="http://inet.alfains.com/bodyho.asp"; httpRequestMethod="GET"; httpRequestHost="inet.alfains.com"; httpRequestUserAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C; InfoPath.3)"; httpContentType=""; httpRequestAuthorization=""; httpRequestVia=""; httpRequestXForwardedFor="";
IPFIX Modular Input format:
Sequence="433229920"; Template="258"; observationPointId="1"; exportingProcessId="0"; flowId="448691141"; netscalerTransactionId="154465949"; netscalerConnectionId="448691141"; ipVersion="4"; protocolIdentifier="6"; sourceIPv4Address="x.x.x.x"; destinationIPv4Address="y.y.y.y"; sourceTransportPort="54403"; destinationTransportPort="80"; packetDeltaCount="1"; octetDeltaCount="421"; tcpControlBits="24"; netscalerFlowFlags="67243008"; flowStartMicroseconds="1448037395.930212975"; flowEndMicroseconds="1448037395.930212975"; ingressInterface="2"; egressInterface="2147483651"; netscalerAppNameAppId="10348"; netscalerAppUnitNameAppId="0"; netscalerHttpResForwFB="-2208988800.000000000"; netscalerHttpResForwLB="-2208988800.000000000"; netscalerHttpReqUrl="/favicon.ico"; netscalerHttpReqCookie="cookie=monster"; netscalerHttpReqReferer=""; netscalerHttpReqMethod="GET"; netscalerHttpReqHost="inet.alfains.com"; netscalerHttpReqUserAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C; InfoPath.3)"; netscalerHttpContentType=""; netscalerHttpReqAuthorization=""; netscalerHttpReqVia=""; netscalerHttpReqXForwardedFor="";
Also Netscaler v11 allows for more information to be exported in the IPFIX appflow log.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have upload a screenshot but it is not displaying in the post.
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
