Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Configure Flow collector

Splunk Stream supports flow protocol data ingestion from network devices. If you have switches, routers, firewalls. or other elements that generate flow protocol data (NetFlow and sFlow), you can configure Stream forwarder to receive and send that data to Splunk indexers. Both Splunk_TA_stream and independent Stream forwarder (streamfwd) support flow data ingestion.

Supported flow protocols

Stream supports collection of these flow protocols:

  • NetFlow version 5, 9 and IPFIX.
  • sFlow version 5
  • jFlow

Note: Only flow data sent over UDP protocol is supported.

Best practices for scaling flow ingestion

When scaling flow protocol ingestion, consider these best practices:

  • Use Independent Stream forwarder. See Deploy Independent Stream forwarder.
  • Configure Nginx or another load balancer to distribute load among indexer cluster nodes.
  • Disable SSL on the HEC input, if appropriate. (Do not disable SSL if you are sending data to Splunk Cloud, or if other security considerations apply.)

Note: Both Splunk_TA_stream and independent Stream forwarder deployments support flow protocol collection. However, due to the limited ingestion capabilities of the Wire Data modular input used by Splunk_TA_stream, we recommended using Splunk_TA_stream for low bandwidth or aggregated NetFlow capture only.

Configure flow data ingestion

To ingest flow data, configure streamfwd to receive data at a specific IP address and port and specify the flow protocol. To do this, add a set of flow configuration parameters to streamfwd.conf as follows:

  1. Edit local/streamfwd.conf.
  2. Add the following parameters to specify the the IP address to bind to, the port number to bind to, and the flow protocol.
    netflowReceiver.<N>.ip = <ip_address>
    netflowReceiver.<N>.port = <port_number>
    netflowReceiver.<N>.decoder = <flow_protocol>

    For example, to receive NetFlow and sFlow data at IP address on port 9995 and 6343 respectively, configure streamfwd.conf as shown:

    logConfig = streamfwdlog.conf
    port = 8889
    netflowReceiver.0.ip =
    netflowReceiver.0.port = 9995
    netflowReceiver.0.decoder = netflow
    netflowReceiver.1.ip =
    netflowReceiver.1.port = 6343
    netflowReceiver.1.decoder = sflow

    For high volume of netflow, configure additional netflow processing threads as shown:

    netflowReceiver.0.decodingThreads = 4
  3. Restart Splunk.

By default, the netflowReceiver.<N>.ip parameter binds to the first available IP address. There are no default values for netflowReceiver.<N>.port and netflowReceiver.<N>.decoder configuration parameters.

Configure proprietary element mapping

Splunk Stream supports mapping of IPFIX proprietary elements to Stream forwarder vocabulary terms. This lets you add and specify proprietary flow elements as fields in NetFlow protocol stream configurations that you create in the Configure Streams UI. To implement this feature, contact your Splunk support representative.

Flow data search syntax

To run searches for NetFlow or sFlow protocol data use the following search syntax:


Create flow protocol streams

After you configure streamfwd.conf for flow data ingestion, you can use the Configure Streams UI in splunk_app_stream to create NetFlow and sFlow protocol streams with unique field definitions. See Configure Streams.

How NetFlow event timestamps are calculated

If you have any of the following fields in a your NetFlow data, Stream Forwarder sets the Splunk timestamp field to be the value contained in the NetFlow flowStart* field and the Splunk endtime field value to be the value contained in the NetFlow flowEnd* field.

  • flowStartSeconds
  • flowEndSeconds
  • flowStartMilliseconds
  • flowEndMilliseconds
  • flowStartMicroseconds
  • flowEndMicroseconds
  • flowStartNanoseconds
  • flowEndNanoseconds

For NetFlow records that are not flow related, when observationTime* fields are available, Stream Forwarder populates the Splunk timestamp and endtime fields values from the NetFlow observationTime*.

If you have both flowStart* and observationTime* fields in your NetFlow data, then Stream Forwarder sets the Splunk Search timestamp to be the NetFlow flowStart* value and the Splunk Search endtime field to contain the NetFlow observationTime* value.

If none of the above fields are present, and a NetFlow record has the following fields:

  • "first switch"(flowStartSysUpTime)
  • "last switch"(flowEndSysUpTime)
  • "system uptime"
  • "current device time in unix epoch"

then Stream Forwarder calculates the Splunk Search timestamp and endtime as follows:

  • timestamp = ("device time in unix epoch" - "system uptime") + "first switched"(flowStartSysUpTime)
  • endtime = ("device time in unix epoch" - "system uptime") + "last switched"(flowEndSysUpTime)
Last modified on 01 April, 2020
Configure targeted packet capture   Configure 10Gbps network capture

This documentation applies to the following versions of Splunk Stream: 7.2.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters