Hi Jbennett_splunk
Thanks for the reply. The netscaler configuration should be ok and it was working up until the point where I updated Splunk for Citrix Netscaler to the latest version. As far as I can tell the setting are exactly the same as in the example above. I am not sure what you mean by 'match where you are sending the data' so if you could elaborate that would be great.
If we are talking about the [ipfix://...] section of the inputs.conf file then I believe that is ok. I am a real newbie at this so I am unsure of how exactly one does a manual search.
To me it looks like Splunk is receiving data from the netscaler but not doing anything meaningful with it.
I am seeing the following error messages.
09-25-2014 16:12:23.590 +1000 ERROR SearchScheduler - Error in 'SearchOperator:copyresults': Cannot find results for search_id 'scheduler__nobody__SplunkforCitrixNetScaler__RMD5e6c1124fdfffb39d_at_1411625511_0'., search='copyresults dest="appid_lookup" sid="scheduler__nobody__SplunkforCitrixNetScaler__RMD5e6c1124fdfffb39d_at_1411625511_0"'
09-25-2014 16:11:57.614 +1000 ERROR ExecProcessor - message from "python /opt/splunk/etc/apps/Splunk_TA_ipfix/bin/ipfix.py" CRITICAL:ipfix:Traceback (most recent call last): || File "/opt/splunk/etc/apps/Splunk_TA_ipfix/bin/splunklib/modularinput/script.py", line 74, in run_script || self.stream_events(self._input_definition, event_writer) || File "/opt/splunk/etc/apps/Splunk_TA_ipfix/bin/IPFIX/ModInput.py", line 105, in stream_events || s.bind((bind_host, bind_port)) || File "/opt/splunk/lib/python2.7/socket.py", line 224, in meth || return getattr(self._sock,name)(*args) || error: [Errno 98] Address already in use
... View more