Re: Splunk Add-on for NetFlow: Why are there no sr...

chengyu · ‎11-03-2015

Hi Guys,

I have installed the Splunk Add-on for NetFlow and also checked transforms.conf, fields but I can't see about src_inf or dst_inf values e.g: interface name Ethernet 0/0... How do I capture interface name? Thank you so much.

transforms.conf
FIELDS=
"start_time",
"end_time",
"duration",
"src_ip",
"dest_ip",
"src_port",
"dest_port",
"protocol",
"tcp_flag",
"fwd_status",
"src_tos",
"input_pkt",
"input_byte",
"output_pkt",
"output_byte",
"in_int",
"out_int",
"src_bgp_as",
"dest_bgp_as",
"src_mask",
"dest_mask",
"dest_tos",
"flow_dir",
"next_hop_router",
"bgp_next_hop_router",
"src_vlan",
"dest_vlan",
"in_src_mac",
"out_dest_mac",
"in_dest_mac",
"out_src_mac",
"mpls1",
"mpls2",
"mpls3",
"mpls4",
"mpls5",
"mpls6",
"mpls7",
"mpls8",
"mpls9",
"mpls10",
"client_latency",
"server_latency",
"app_latency",
"exp_ip",
"engine",
"exp_sys_id"

jcoates_splunk · ‎11-07-2015

if it's in the flow data, you can just use Splunk's field extractor to do what you want. http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/ExtractfieldsinteractivelywithIFX

jakemichaelwils · ‎11-04-2015

Hello, I have two questions about your post:

1) What are these flows coming from (Cisco router, VMware NSX, nProbe)?

2) Is NetFlow or IPFIX being exported?

Thanks.

chengyu · ‎11-03-2015

note: i collect cisco router and switch devices

jakemichaelwils · ‎11-04-2015

Please paste in your flexible netflow configuration.

Splunk Add-on for NetFlow: Why are there no src_inf or dst_inf fields in transforms.conf? How do I capture the interface name?

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?