All Apps and Add-ons

Multiple Netflow Apps ?

kidoucorp
New Member

Hi,

I'm using your wonderful app for Netflow, which is working perfectly.

Here is the problem I have since I upgraded to V2.0 :

I run one instance of splunk, but I'm retrieving netflow records from other servers as well.

I want to split the netflows record for each of my server, this way I can look the traffic for a particular server.

What I've donne so far, was to take your app, and rename every reference to "sourcetype=netflow" to "sourcetype=netflow_xxxxx".

So Basically, I have one instance of your netflow app for each of my server.

It was working well on 1.0, but on 2.0, it's not working anymore. I have modified my monitored nfdump.log to go to the index I specified. (netflow_si_traffic_xxxx).

But I'm not getting any result in the dashboard, here is what I'm getting :

This search has completed and has returned 10,000 results by scanning 10,497 events in 0.699 seconds.

The following messages were returned by the search subsystem:

DEBUG: base lispy: [ AND index::netflow_si_traffic_togo ]
DEBUG: search context: user="admin", app="netflow_togo", bs-pathname="/opt/splunk/etc"

Event search : search index=netflow_si_traffic_togo | fields src_ip src_port src_service dst_ip dst_port dst_service proto proto_name router_ip _time num_bytes num_packets bps

If I launch this search manually, I am getting results.

So do you know what could be the problem ? Do you have changed some parameters on nfdump of nfcapd ?

I'm exporting my nfdump.log with the right format (I think) : fmt:%ts %td %pr %sap -> %dap %flg %tos %pkt %byt %pps %bps %bpp %fl %ra

Thanks for your answer

0 Karma

NetFlow_Logic
Contributor

You may also consider another App based on 3rd party software - NetFlow Integrator. It is a streaming technology that converts NetFlow to syslog on the fly, thus making it available in Splunk in real time. Sign up for Beta now. Demo App is here:

http://splunk-base.splunk.com/apps/NetFlow-based+Network+Monitoring+(Beta)

athana
Splunk Employee
Splunk Employee

In this version (v2.0), I used Splunk summary index technique to improve the searching performance. And therefore, your method of renaming sourcetype=netflow_xxx will not work anymore, because the summary index will rename the sourcetype to 'stash'. What you might be able to do is using a 'host' field in your search to separate between each of your server.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...