{"id":1229,"date":"2016-09-05T13:19:38","date_gmt":"2016-09-05T18:19:38","guid":{"rendered":"http:\/\/www.nathanhunstad.com\/blog\/?p=1229"},"modified":"2016-09-05T13:19:38","modified_gmt":"2016-09-05T18:19:38","slug":"netflow-and-splunk","status":"publish","type":"post","link":"https:\/\/www.nathanhunstad.com\/blog\/2016\/09\/netflow-and-splunk\/","title":{"rendered":"Netflow and Splunk"},"content":{"rendered":"<p>Yesterday, I <a href=\"http:\/\/www.nathanhunstad.com\/blog\/2016\/09\/edgeos-and-netflow\/\" target=\"_blank\">told the tale<\/a> of getting netflow data out of my EdgeOS router. Once I started actually receiving data, I wanted to get it into Splunk. I figured that I would have to set up a directory for netflow log data from nfdump, then set up a reader to have Splunk ingest the data. After doing some Googling, though, I found the <a href=\"https:\/\/splunkbase.splunk.com\/app\/1658\/\" target=\"_blank\">Splunk Add-on for NetFlow<\/a>, which handles all of that automatically! Once you get it up and running, that is.<\/p>\n<p><!--more--><\/p>\n<p>Downloading and installing the add-on was simple. Next came configuration, and learned lesson one: run the configuration script as the user Splunk runs under and not another user: doing so will screw up permissions on the files the script creates. Lesson number two: every time you run the configuration script you need to manually kill nfcapd first, otherwise the script will fail.<\/p>\n<p>Those two items done, I was only getting very intermittent data into Splunk, and the destination directory where the nfdump files were supposed to end up was always empty. It was at this point I looked at the script that was running to do the data export, and found an error caused by the configuration script: if you don\u2019t manually enter the number of days to keep the log files around, the script will <a href=\"https:\/\/answers.splunk.com\/answers\/301176\/a-wrong-configuration-script-configuresh-in-splunk.html\" target=\"_blank\">put in a negative number<\/a>, deleting the log files immediately after creation. This created your classic race condition, and usually the files were deleted before Splunk could read them, but sometimes Splunk would read a few lines first.<\/p>\n<p>Finally, after getting everything working as it should, I set up some dashboards. This was a simple timechart showing egress traffic over time (egress was <span style=\"font-family: 'Courier New';\">engine-id 2<\/span> as you may remember):<\/p>\n<p><span style=\"font-family: 'Courier New';\">index=netflow engine=&#8221;0\/2&#8243; | timechart sum(bytes) | fillnull<\/span><\/p>\n<p>I also set up some pivots to create some pie charts. In the end, my very simple dashboard looked like this:<\/p>\n<p><a href=\"http:\/\/www.nathanhunstad.com\/blog\/wp-content\/uploads\/2016\/09\/image.png\"><img loading=\"lazy\" decoding=\"async\" style=\"background-image: none; padding-top: 0px; padding-left: 0px; display: inline; padding-right: 0px; border: 0px;\" title=\"image\" src=\"http:\/\/www.nathanhunstad.com\/blog\/wp-content\/uploads\/2016\/09\/image_thumb.png\" alt=\"image\" width=\"591\" height=\"388\" border=\"0\" \/><\/a><\/p>\n<p>Future improvements could include combining ingress and egress traffic into one chart, and replacing IP addresses with hostnames for internal IPs.<\/p>\n<p>It took longer than I thought, but in the end it worked out pretty well.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday, I told the tale of getting netflow data out of my EdgeOS router. Once I started actually receiving data, I wanted to get it into Splunk. I figured that I would have to set up a directory for netflow log data from nfdump, then set up a reader to have Splunk ingest the data.&hellip; <a class=\"more-link\" href=\"https:\/\/www.nathanhunstad.com\/blog\/2016\/09\/netflow-and-splunk\/\">Continue reading <span class=\"screen-reader-text\">Netflow and Splunk<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[19],"tags":[251,280,252],"class_list":["post-1229","post","type-post","status-publish","format-standard","hentry","category-tech-2","tag-edgeos","tag-netflow","tag-splunk","entry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1229","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/comments?post=1229"}],"version-history":[{"count":2,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1229\/revisions"}],"predecessor-version":[{"id":1231,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/1229\/revisions\/1231"}],"wp:attachment":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/media?parent=1229"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/categories?post=1229"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/tags?post=1229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}