Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Streamfwd is not forwarding netflow v9 data to SH

trkswe
New Member
‎04-30-2019 11:30 AM

Hi All,

  1. Installation of Splunk Stream App on the Search Head was done.
  2. Using curl, the streamfwd was installed on Linux machine.
  3. Later HEC was enabled and the token was updated in indexers through cluster master.

The environment has 1 Search head, 2 Indexers, 1 Cluster Master, and 1 Deployment server.
All servers are windows servers. Only the streamfwd machine is a Linux machine.
Netflow data is being received on port 9999.

We have also configured the inputs.conf and streamfwd.conf based on instructions on Splunk docs.
But we do not see any data ingestion.
We confirmed data being received on port 9999 by tcpdump commands.

Thank you.

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎05-01-2019 07:51 AM

Did you configure the Streams after configuring the streamfwd? In the Splunk Stream App under "Configuration-->Configure Streams" you define what you want streamfwd to collect. There you create/enable your Streams to collect that define which fields you'd like extracted from that data. Then under "Configuration-->Distributed Forwarder Management" you define your groups to target which forwarders get what Streams.

0 Karma
Reply

trkswe
New Member
‎05-01-2019 10:14 PM

Thanks for the reply.

  1. Did you configure the Streams after configuring the streamfwd?
    Yes, we have configured the streams and enabled "netflow" stream.
    By default we have selected all the 154 fileds in "netflow" stream.

  2. "Configuration-->Distributed Forwarder Management" - define your groups to target
    Unable to find the 'streamfwd' here, under "Matched Forwarders".
    (Initially, we added to 'default group', but later created a new group as well.)

Could there be any issues with the 'streamfwd' installation with curl?
any manual configuration updates are required in inputs.conf and streamfwd.conf?

Thanks a lot.

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎05-02-2019 07:56 AM

Did you configure HEC on your indexers receiving the data? Docs for it here: https://docs.splunk.com/Documentation/StreamApp/7.1.3/DeployStreamApp/InstallStreamForwarderonindepe.... You also need to have the inputs.conf on your indexers specifying how the data is coming in since it isn't from traditional Splunk2Splunk. The standalone streamfwd sends data via HEC so you need to configure a token, and add that token to your indexers and your forwarder. Your config on your inputs.conf on your indexer might look something like this:

[http://streamfwd]
disabled = 0
index = your_default_index
token = your_hec_token
indexes = _internal, main, other_indexes_that_this_token_can_send_to

Relevant inputs.conf docs: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf#HTTP_Event_Collector_.28HEC.29_...

0 Karma
Reply

dm1
Contributor
‎07-13-2021 09:22 PM

Does the stream add-on supports sending data to Indexers using S2S communication on port 9997?

The docs only seem to emphasize on showing integration using HEC

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...