Hello,
I recently set up splunk stream to receive netflow v9 data from a few sources. Everything seems to be working fine so far, but every so often I'll start getting these messages in my streamfwd log, which will last few several minutes and then go away again, only to return several minutes later.
2017-09-12 15:48:49 WARN [140371258496768] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 259 received for observation domain id 768 from device x.x.x.x . Dropping flow data set of size 56
2017-09-12 15:48:50 WARN [140371258496768] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 259 received for observation domain id 768 from device x.x.x.x . Dropping flow data set of size 212
2017-09-12 15:48:51 WARN [140371258496768] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 259 received for observation domain id 768 from device x.x.x.x . Dropping flow data set of size 160
2017-09-12 15:48:54 WARN [140371258496768] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 259 received for observation domain id 768 from device x.x.x.x . Dropping flow data set of size 372
2017-09-12 15:48:57 WARN [140371258496768] (NetflowManager/NetflowDecoder.cpp:1112) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 259 received for observation domain id 768 from device x.x.x.x . Dropping flow data set of size 108
What could be causing these messages to intermittently appear like that? I thought that this could be due to a netflow template not being sent (cisco devices are sending the netflow data), but I don't think that this is the case since this only happens intermittently.
In case it would help, my streamfwd.conf file contains the following lines:
[streamfwd]
logConfig = streamfwdlog.conf
port = 8889
netflowReceiver.0.ip = x.x.x.x
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow
↧