Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Configure Flow collector

Splunk Stream supports ingestion of flow protocol data from network devices. If you have switches, routers, firewalls, and so on, that generate flow protocol data (NetFlow and sFlow), you can configure Stream forwarder to receive and send that data to Splunk indexers. Both Splunk_TA_stream and independent Stream forwarder (streamfwd) support flow data ingestion.

Supported flow protocols

Stream supports collection of these flow protocols:

  • NetFlow version 5, 9 and IPFIX.
  • sFlow version 5
  • jFlow

Note: Only flow data sent over UDP protocol is supported.

Best practices for scaling flow ingestion

When scaling flow protocol ingestion, consider these best practices:

  1. Use Independent Stream forwarder. See Deploy Independent Stream forwarder.
  2. Configure Nginx or another load balancer to distribute load among indexer cluster nodes.
  3. Disable SSL on the HEC input, if appropriate. (Do not disable SSL if you are sending data to Splunk Cloud, or if other security considerations apply.)

Note: Both Splunk_TA_stream and independent Stream forwarder deployments support flow protocol collection. However, due to the limited ingestion capabilities of the Wire Data modular input used by Splunk_TA_stream, we recommended using Splunk_TA_stream for low bandwidth or aggregated netflow capture only.

Configure flow data ingestion

To ingest flow data, you must configure streamfwd to receive data at a specific IP address and port, and specify the flow protocol. This is done by adding a set of flow configuration parameters to streamfwd.conf as follows:

  1. Edit local/streamfwd.conf.
  2. Add the following parameters to specify the the ip address to bind to, the port number to bind to, and the flow protocol.
    3. netflowReceiver.<N>.ip = <ip_address>
netflowReceiver.<N>.port = <port_number>
netflowReceiver.<N>.decoder = <flow_protocol>

    For example, to receive NetFlow and sFlow data at IP address 172.23.245.122 on port 9995 and 6343 respectively, configure streamfwd.conf as shown: 

    [streamfwd]
logConfig = streamfwdlog.conf
port = 8889

netflowReceiver.0.ip = 172.23.245.122
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow

netflowReceiver.1.ip = 172.23.245.122
netflowReceiver.1.port = 6343
netflowReceiver.1.decoder = sflow
  3. For high volume of netflow, configure additional netflow processing threads as shown: 
    netflowReceiver.0.decodingThreads = 4
  4. Restart Splunk.

Note: By default, the netflowReceiver.<N>.ip parameter binds to the first available IP address. There are no default values for netflowReceiver.<N>.port and netflowReceiver.<N>.decoder configuration parameters.

Start flow data ingestion

After you configure flow data ingestion in streamfwd.conf, you must create and enable a flow protocol stream (netflow or sflow) in the Configure Streams UI for flow data ingestion to begin . For instructions on creating and enabling streams, see Configure Streams in the Splunk Stream User Manual.

Search flow protocol data

To run Splunk searches for netflow or sflow protocol data, use the following search syntax: 

sourcetype=stream:netflow
sourcetype=stream:sflow

Configure proprietary element mapping

Splunk Stream supports mapping of IPFIX proprietary elements to Stream forwarder vocabulary terms. This lets you add and specify proprietary flow elements as fields in netflow protocol stream configurations that you create in the Configure Streams UI. To implement this feature, contact your Splunk support representative.

Last modified on 13 March, 2017
Configure Stream forwarder   Configure 10Gbps network capture

This documentation applies to the following versions of Splunk Stream: 7.0.0, 7.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters