Configure Flow collector
Splunk Stream supports ingestion of flow protocol data from network devices. If you have switches, routers, firewalls, and so on, that generate flow protocol data (NetFlow and sFlow), you can configure Stream forwarder to receive and send that data to Splunk indexers. Both Splunk_TA_stream
and independent Stream forwarder (streamfwd
) support flow data ingestion.
Supported flow protocols
Stream supports collection of these flow protocols:
- NetFlow version 5, 9 and IPFIX.
- sFlow version 5
- jFlow
Note: Only flow data sent over UDP protocol is supported.
Best practices for scaling flow ingestion
When scaling flow protocol ingestion, consider these best practices:
- Use Independent Stream forwarder. See Deploy Independent Stream forwarder.
- Configure Nginx or another load balancer to distribute load among indexer cluster nodes.
- Disable SSL on the HEC input, if appropriate. (Do not disable SSL if you are sending data to Splunk Cloud, or if other security considerations apply.)
Note: Both Splunk_TA_stream and independent Stream forwarder deployments support flow protocol collection. However, due to the limited ingestion capabilities of the Wire Data modular input used by Splunk_TA_stream, we recommended using Splunk_TA_stream for low bandwidth or aggregated netflow capture only.
Configure flow data ingestion
To ingest flow data, you must configure streamfwd
to receive data at a specific IP address and port, and specify the flow protocol. This is done by adding a set of flow configuration parameters to streamfwd.conf
as follows:
- Edit
local/streamfwd.conf
. - Add the following parameters to specify the the ip address to bind to, the port number to bind to, and the flow protocol.
- For high volume of netflow, configure additional netflow processing threads as shown:
netflowReceiver.0.decodingThreads = 4
- Restart Splunk.
netflowReceiver.<N>.ip = <ip_address> netflowReceiver.<N>.port = <port_number> netflowReceiver.<N>.decoder = <flow_protocol>
For example, to receive NetFlow and sFlow data at IP address 172.23.245.122 on port 9995 and 6343 respectively, configure streamfwd.conf
as shown:
[streamfwd] logConfig = streamfwdlog.conf port = 8889 netflowReceiver.0.ip = 172.23.245.122 netflowReceiver.0.port = 9995 netflowReceiver.0.decoder = netflow netflowReceiver.1.ip = 172.23.245.122 netflowReceiver.1.port = 6343 netflowReceiver.1.decoder = sflow
Note: By default, the netflowReceiver.<N>.ip
parameter binds to the first available IP address. There are no default values for netflowReceiver.<N>.port
and netflowReceiver.<N>.decoder
configuration parameters.
Start flow data ingestion
After you configure flow data ingestion in streamfwd.conf
, you must create and enable a flow protocol stream (netflow or sflow) in the Configure Streams UI for flow data ingestion to begin . For instructions on creating and enabling streams, see Configure Streams in the Splunk Stream User Manual.
Search flow protocol data
To run Splunk searches for netflow or sflow protocol data, use the following search syntax:
sourcetype=stream:netflow sourcetype=stream:sflow
Configure proprietary element mapping
Splunk Stream supports mapping of IPFIX proprietary elements to Stream forwarder vocabulary terms. This lets you add and specify proprietary flow elements as fields in netflow protocol stream configurations that you create in the Configure Streams UI. To implement this feature, contact your Splunk support representative.
Configure Stream forwarder | Configure 10Gbps network capture |
This documentation applies to the following versions of Splunk Stream™: 7.0.0, 7.0.1
Feedback submitted, thanks!