Solved: AppFlow Data is not visible in the Citrix App

mmanfred · ‎08-05-2015

I have Splunk 6.2.3, Latest IPFIX and Citrix App and Netscaler 10.x. IPFIX listener is up and netscaler is sending appflow data to it.

I am able to query eventtype=netscaler but the appFlow dashboards seem to be looking for eventtype=netscaler_appflow which does not exist.

sourcetype=ipfix for these events and I see in the eventtypes.conf:
[netscaler_appflow]
search = eventtype=netscaler sourcetype=appflow

there is no sourcetype=appflow.
my input.conf only has the python [ script line
<pre>
[script:\/\/./bin/scripted_inputs/deploy_splunk_ta_netscaler.py]
interval = -1
index=_internal
sourcetype=netscaler:installer
disabled = 0
passAuth = splunk-system-user
</pre>

am I missing a setup step that creates that sourcetype?

mmanfred · ‎08-05-2015

Ah -
Two things:
1 - my inputs.conf needed to be
[ipfix://NetScaler_AppFlow]
sourcetype = appflow
index = netscaler
address = 0.0.0.0
port = 4739
buffer = 1048576
disabled = true
2- when I setup the IPFIX data input i didnt name it NetScaler_AppFlow so the above didnt match

View solution in original post

mmanfred · ‎08-05-2015

Ah -
Two things:
1 - my inputs.conf needed to be
[ipfix://NetScaler_AppFlow]
sourcetype = appflow
index = netscaler
address = 0.0.0.0
port = 4739
buffer = 1048576
disabled = true
2- when I setup the IPFIX data input i didnt name it NetScaler_AppFlow so the above didnt match

AppFlow Data is not visible in the Citrix App

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!