All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

A wrong configuration script (configure.sh) in Splunk Add-on for NetFlow Ver 3.0.1.

sunrise
Contributor
‎08-23-2015 09:58 PM

This post is not a question, but an enhancement request for Splunk Add-on for NetFlow Ver 3.0.1.
I installed Splunk Enterprise 6.2.5 and Splunk Add-on for NetFlow Ver 3.0.1 on a Linux server and configured it by "configure.sh" in this add-on.

Though I've done this almost default settings and transferred netflow packets to this UDP receiving port, I could not get any netflow packets in Splunk.

Reply
1 Solution
Solved! Jump to solution
Solution

sunrise
Contributor
‎08-23-2015 10:04 PM

In some tests, I got a solution to this issue.
I found that "configure.sh" may be wrong.

Original "configure.sh" in this App (Ver 3.0.1) includes following lines.
let keepDays=$keepDays-1
if [[ -z "$keepDays" ]]; then
keepDays="2"
fi

This causes wrong days to keep ascii flow logs in flowfix.sh which is executed by script stanza in inputs.conf.
find /opt/splunk625/etc/apps/Splunk_TA_flowfix/nfdump-ascii -type f -mtime +-1 -exec rm -f {} \;

So if you encounter this issue, you need to change flowfix.sh manually, or specify custom days during its configurations.

View solution in original post

Reply
Solved! Jump to solution

huns0004
Engager
‎09-04-2016 07:27 AM

I have also found this bug. Enter the days manually or change the script to do the null comparison first.

Disappointing that this has been out there for over a year and hasn't been fixed yet.

0 Karma
Reply
Solved! Jump to solution

thejohn
Path Finder
‎01-24-2016 02:44 PM

the script has major errors which results in a broken flowfix.sh file.

0 Karma
Reply
Solved! Jump to solution
Solution

sunrise
Contributor
‎08-23-2015 10:04 PM

In some tests, I got a solution to this issue.
I found that "configure.sh" may be wrong.

Original "configure.sh" in this App (Ver 3.0.1) includes following lines.
let keepDays=$keepDays-1
if [[ -z "$keepDays" ]]; then
keepDays="2"
fi

This causes wrong days to keep ascii flow logs in flowfix.sh which is executed by script stanza in inputs.conf.
find /opt/splunk625/etc/apps/Splunk_TA_flowfix/nfdump-ascii -type f -mtime +-1 -exec rm -f {} \;

So if you encounter this issue, you need to change flowfix.sh manually, or specify custom days during its configurations.

Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...