Configure Flow collector
Splunk Stream supports flow protocol data ingestion from network devices. If you have switches, routers, firewalls. or other elements that generate flow protocol data (NetFlow and sFlow), you can configure Stream forwarder to receive and send that data to Splunk indexers. Both
Splunk_TA_stream and independent Stream forwarder (
streamfwd) support flow data ingestion.
Supported flow protocols
Stream supports collection of these flow protocols:
- NetFlow version 5, 9 and IPFIX.
- sFlow version 5
Note: Only flow data sent over UDP protocol is supported.
Best practices for scaling flow ingestion
When scaling flow protocol ingestion, consider these best practices:
- Use Independent Stream forwarder. See Deploy Independent Stream forwarder.
- Configure Nginx or another load balancer to distribute load among indexer cluster nodes.
- Disable SSL on the HEC input, if appropriate. (Do not disable SSL if you are sending data to Splunk Cloud, or if other security considerations apply.)
Splunk_TA_stream and independent Stream forwarder deployments support flow protocol collection. However, due to the limited ingestion capabilities of the Wire Data modular input used by
Splunk_TA_stream, we recommended using
Splunk_TA_stream for low bandwidth or aggregated NetFlow capture only.
Configure flow data ingestion
To ingest flow data, configure
streamfwd to receive data at a specific IP address and port and specify the flow protocol. To do this, add a set of flow configuration parameters to
streamfwd.conf as follows:
- Add the following parameters to specify the the IP address to bind to, the port number to bind to, and the flow protocol.
netflowReceiver.<N>.ip = <ip_address> netflowReceiver.<N>.port = <port_number> netflowReceiver.<N>.decoder = <flow_protocol>
For example, to receive NetFlow and sFlow data at IP address 172.23.245.122 on port 9995 and 6343 respectively, configure
[streamfwd] logConfig = streamfwdlog.conf port = 8889 netflowReceiver.0.ip = 172.23.245.122 netflowReceiver.0.port = 9995 netflowReceiver.0.decoder = netflow netflowReceiver.1.ip = 172.23.245.122 netflowReceiver.1.port = 6343 netflowReceiver.1.decoder = sflow
For high volume of netflow, configure additional netflow processing threads as shown:
netflowReceiver.0.decodingThreads = 4
- Restart Splunk.
By default, the
netflowReceiver.<N>.ip parameter binds to the first available IP address. There are no default values for
netflowReceiver.<N>.decoder configuration parameters.
Configure proprietary element mapping
Splunk Stream supports mapping of IPFIX proprietary elements to Stream forwarder vocabulary terms. This lets you add and specify proprietary flow elements as fields in NetFlow protocol stream configurations that you create in the Configure Streams UI. To implement this feature, contact your Splunk support representative.
Flow data search syntax
To run searches for NetFlow or sFlow protocol data use the following search syntax:
Create flow protocol streams
After you configure
streamfwd.conf for flow data ingestion, you can use the Configure Streams UI in
splunk_app_stream to create NetFlow and sFlow protocol streams with unique field definitions. See Configure Streams.
How NetFlow event timestamps are calculated
If you have any of the following fields in a your NetFlow data, Stream Forwarder sets the Splunk
timestamp field to be the value contained in the NetFlow
flowStart* field and the Splunk
endtime field value to be the value contained in the NetFlow
For NetFlow records that are not flow related, when
observationTime* fields are available, Stream Forwarder populates the Splunk
endtime fields values from the NetFlow
If you have both
observationTime* fields in your NetFlow data, then Stream Forwarder sets the Splunk Search
timestamp to be the NetFlow
flowStart* value and the Splunk Search
endtime field to contain the NetFlow
If none of the above fields are present, and a NetFlow record has the following fields:
- "first switch"(flowStartSysUpTime)
- "last switch"(flowEndSysUpTime)
- "system uptime"
- "current device time in unix epoch"
then Stream Forwarder calculates the Splunk Search
endtime as follows:
timestamp= ("device time in unix epoch" - "system uptime") + "first switched"(flowStartSysUpTime)
endtime= ("device time in unix epoch" - "system uptime") + "last switched"(flowEndSysUpTime)
Configure targeted packet capture
Configure 10Gbps network capture
This documentation applies to the following versions of Splunk Stream™: 7.2.0