This is an application for consuming netflow v5,7,9 data using NFDUMP, iNotify, Binary-ASCII coverter, and Splunk!

Splunk Phlow is an amalgamation of

• NFDUMP
• iNotify
• nfcapd-ascii bash script
• logrotate
• tito (for the RPM)
• cron (to handle scheduling)
• init scripts (to handle service starting)
• puppet (out of scope - but to get this built/rebuilt/rebuilt/......rebuilt and stable)
• custom Splunk app: Splunk Phlow

@jcwx John Weir

@rupak98 - Rupak Pandya

@sometheycallme - Tim Kropp

@sorandom - Sandeep Khaneja

@jumanjiman - Paul Morgan

@vpalacio - Victor Palacio

This cisco whitepaper on the relevant fields for extracting data from flows was helpful when we built the app.

http://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

We also used the field references here

http://www.ietf.org/rfc/rfc3954.txt http://en.wikipedia.org/wiki/NetFlow

We rely on NFDUMP to get data into binary and off the stack.

http://nfdump.sourceforge.net

We rely on inotify to get data out of binary nfcapd into ascii format

http://linuxaria.com/article/introduction-inotify?lang=en

https://github.com/phlowy/splunk-phlow/wiki