All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Multiple Netflow Apps ?

kidoucorp
New Member
‎04-05-2012 12:14 AM

Hi,

I'm using your wonderful app for Netflow, which is working perfectly.

Here is the problem I have since I upgraded to V2.0 :

I run one instance of splunk, but I'm retrieving netflow records from other servers as well.

I want to split the netflows record for each of my server, this way I can look the traffic for a particular server.

What I've donne so far, was to take your app, and rename every reference to "sourcetype=netflow" to "sourcetype=netflow_xxxxx".

So Basically, I have one instance of your netflow app for each of my server.

It was working well on 1.0, but on 2.0, it's not working anymore. I have modified my monitored nfdump.log to go to the index I specified. (netflow_si_traffic_xxxx).

But I'm not getting any result in the dashboard, here is what I'm getting :

This search has completed and has returned 10,000 results by scanning 10,497 events in 0.699 seconds.

The following messages were returned by the search subsystem:

DEBUG: base lispy: [ AND index::netflow_si_traffic_togo ]
DEBUG: search context: user="admin", app="netflow_togo", bs-pathname="/opt/splunk/etc"

Event search : search index=netflow_si_traffic_togo | fields src_ip src_port src_service dst_ip dst_port dst_service proto proto_name router_ip _time num_bytes num_packets bps

If I launch this search manually, I am getting results.

So do you know what could be the problem ? Do you have changed some parameters on nfdump of nfcapd ?

I'm exporting my nfdump.log with the right format (I think) : fmt:%ts %td %pr %sap -> %dap %flg %tos %pkt %byt %pps %bps %bpp %fl %ra

Thanks for your answer

0 Karma
Reply

NetFlow_Logic
Contributor
‎04-19-2012 02:14 AM

You may also consider another App based on 3rd party software - NetFlow Integrator. It is a streaming technology that converts NetFlow to syslog on the fly, thus making it available in Splunk in real time. Sign up for Beta now. Demo App is here:

http://splunk-base.splunk.com/apps/NetFlow-based+Network+Monitoring+(Beta)

Reply

athana
Splunk Employee
Splunk Employee
‎04-05-2012 03:44 PM

In this version (v2.0), I used Splunk summary index technique to improve the searching performance. And therefore, your method of renaming sourcetype=netflow_xxx will not work anymore, because the summary index will rename the sourcetype to 'stash'. What you might be able to do is using a 'host' field in your search to separate between each of your server.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...