Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with NetFlow v9 Templates Not Received by Splunk Stream – Flows Being Dropped

kn450
Explorer
Friday

Hi Splunk Community,

I'm currently integrating Flowmon ndr as a NetFlow data exporter to Splunk Stream, but I’m encountering a persistent issue where Splunk receives the flow data, yet it’s not decoded properly, and flow sets are being dropped due to missing templates.

Here’s the warning from the Splunk log:

```
2025-06-21 08:34:49 WARN [139703701448448] (NetflowManager/NetflowDecoder.cpp:1282) stream.NetflowReceiver - NetFlowDecoder::decodeFlow Unable to decode flow set data. No template with id 258 received for observation domain id 13000 from device 10.x.x.x. Dropping flow data set of size 328
```

Setup details:

Exporter: Flowmon
Collector: Splunk Stream
 Protocol: NetFlow v9 (also tested with IPFIX)
Transport: UDP
 Template Resend Configuration: Every 4096 packets or  600 seconds

Despite verifying these settings on Flowmon, Splunk continues to report that the template ID (in this case, 258) was never received, causing all related flows to be dropped.

My questions:

1. Has anyone successfully integrated Flowmon with Splunk Stream using NetFlow v9?
2. Is there a known issue with Splunk Stream not handling templates properly from certain exporters?
3. Are there any recommended Splunk Stream configuration tweaks for handling late or infrequent templates?

Any insights, experiences, or troubleshooting tips would be greatly appreciated.

Thanks in advance!

Labels (1)
Labels
Tags (1)
0 Karma
Reply

livehybrid
Super Champion
Friday

Hi @kn450 

Splunk Stream requires NetFlow v9/IPFIX templates to be received before it can decode flow records; if templates arrive infrequently or are missed, flows are dropped.

I'm not aware of any specific known issues around this, but I certainly think it is worth configuring Flowmon to send templates much more frequently (ideally every 20–30 seconds, not just every 600 seconds or 4096 packets) and see if this alleviate the issue.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

kn450
Explorer
Friday

I changed the time and the pack size, but the problem still exists.

0 Karma
Reply
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...

Splunk ITSI & Correlated Network Visibility

 Take Your Network Visibility to the Next LevelIn today’s complex IT environments, performance issues can stem ...

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 3)

Welcome back to Splunk Classroom Chronicles, our ongoing blog series that pulls back the curtain on Splunk ...
OSZAR »