I have installed the netflow for splunk app, verified that data is flowing to the server but I do not see any data showing up on dashboard. there is no data for NETFLOW being captured. Where can i go to test?
The underlying technology in this App - nfdump - was replaced with a free limited edition of NetFlow Integrator.
For high volume of NetFlow records you may consider this App and TA
the app appears to be missing the index location in inputs.conf.
add this to each stanzer and it will work.
vim /opt/splunk/etc/apps/netflow/default/inputs.conf
add index=netflow_si_traffic to the 3 stanzer in the file and restart splunk.
Splunk for NetFlow App based on nfdump works just fine, and there is nothing wrong with it. Nfdump, being an open source and free, could be painful to install and configure. It also may not be practical even in case of a typical NetFlow volume observed in medium size networks.
You may consider an alternative solution - NetFlow Integrator. Here are some of the main features:
Here are the links to Splunk App and TA:
I apologize this does not answer your specific query, but it relates to netflow data in Splunk. I have been using ProQueSys FlowTraq (our partner)for full fidelity netflow data in Splunk. They recently added strong syslog capabilty.
It has multiple OS support, software flows exporters with volume based pricing like Splunk which makes for really flexible flows deployment. You can check it out here.
Did you install the Netflow App on the a Linux box because it only runs on Linux?
Have you configured a data input on the Splunk Server?
You will need to configure either a UDP or TCP Data input on the Splunk Indexer that corresponds to the port you configured on your device sending netflow data, ie: UDP 9996.
Also, according to the README that comes with the Netflow app make sure that the data input is set to a sourcetype of "netflow".
I agree, these are very unusual instructions. The Netflow app appears to use a file input for etc/apps/netflow/log/nfdump. I do not have a TCP input for the same port nfcap is listening on.
This is the part that I don't understand. I specified port 9990 in the config.ini, and I see that there is a process running nfcapd with "-p 9990" specified. If I add a udp input for splunk on port 9990, nfcapd won't be able to listen on that port since it's already in use.
The cryptic readme says that netflow flows are captured using nfdump (and nfcapd?) and "fed" into splunk. How it's fed? I see 2 file inputs with the netflow app, both with sourcetype already set to netflow. "The app relies on the sourcetype=netflow." isn't very helpful, as it doesn't say what source needs that sourcetype.
if nfdump from the app is capturing properly it should write log files being in the app's directory (netflow/log/nfdump/
).
Also check if the listening port is the right one in $SPLUNK_HOME/etc/apps/netflow/default/config.ini
.
And last you can search the internal log for any errors:
index=_internal sourcetype=splunkd ("nfdump" OR "netflow")
can't get this to work at all. any more install notes available?
I am also dissapointed in this app, I cant find enough info for it and its frustrating
Here is a little more detailed description"
The landing page for NETFLOW is saying "No results found. Inspect ..." When I look at the search, the inspector is saying that it did not match any results for "sourcetype=netflow | bin _time span=5m | stats sum(num_bytes) AS TotalBytes sum(num_packets) AS TotalPackets avg(bps) AS AvgBps by srcip srcport srcservice dstip dstport dstservice proto proto_name _time router_ip".
When i run that search it return a lot of data.