I'm trying to get NetFlow data collected from Argus that I want to get into Splunk.
I'm taking the Argus data and using ra to generate an ASCII output file as a csv (coma seperated) with a header row at the top that looks like this:
the files we are generating look like this:
Host,Region,StartTime,LastTime,Trans,Dur,Proto,SrcAddr,Sport,DstAddr,Dport,SrcBytes,DstBytes,SrcPkts,DstPkts,pSrcLoss,pDstLoss,SrcRate,DstRate,TcpRtt(Sec),State
NIDS-03,US,06/04/09 02:59:57.01,06/04/09 03:00:02.01,1,5.00,6,16.1.26.245,41368,19.7.8.6,80,667638,0,10096,0,0.00,0.00,2019.27,0.00,0.00,PA_
NIDS-03,US,06/04/09 02:59:56.86,06/04/09 02:59:57.18,1,0.32,17,19.7.8.3,44225,202.56.230.6,53,198,512,2,2,0.00,0.00,333333.32,90909.09,0.00,CON
The machine that has this data is setup as a Splunk forwarder and I have the inputs.conf on this forwarder set up like so:
[batch:///data/argus-splunk]
move_policy = sinkhole
disabled = false
host = 06
host_segment = 05
sourcetype = netflow
When I copy this file into that directory Splunk reads it and forwards it to to the Splunk server and a net sourcetype shows up on the server "netflow".
However Splunk cannot match the headers (Host,Region,StartTime,LastTime etc) with the columns?
Has someone done this befor that can help me with this?
Thanks,
Ralph
