Codec not parsing sflow metrics

[supernomad]

So I have installed this plugin into logstash using, bin/plugin install logstash-codec-plugin and setup a new input:

input {
  udp {
    port => 6343
    codec => sflow
    type => sflow
  }
}

There are no filters and its output should be directly sent to elasticsearch. However this is not happening, in actuallity we are getting the following error: {:timestamp=>"2016-05-04T21:12:34.527000+0000", :message=>"Unknown record entreprise 0, format 0", :level=>:warn}

We have confirmed our switches are outputting to the configured port with tcpdump and sflowtool and with these tools have been able to confirm we are outputting sflow v5 metrics.

logstash version: 2.2.0 codec version: 1.0.0

any help would be greatly appreciated as we have resorted to using the sflowtool and a pipe input for logstash which feels wrong.

[ashangit]

Hi,

Could you please configure the it like this:

input {
  udp {
    port => 6343
    codec => sflow {
      snmp_interface => false
    }
    type => sflow
  }
}

There is fin act by default an snmp call to get some interface resolution in order to resolve the source id index. I think that it is stuck here. I will change this parameter to be set to false by default but please test it like that first to ensure that it is the root cause of your issue. For the warning event this is a "normal" behaviour as no counter or sample flow with enterprise field set to 0 and format field set to 0 are managed. From the sflow specifications I can't see any counter or sample flow with such IDs (http://www.sflow.org/developers/structures.php). For this warning I will need a tcpdump containing just this sflow events with format set to 0 in order to try adding it

[supernomad]

Awesome thanks for the information I will test this out and see what happens. I will update with my results.

[ashangit]

Any news @Supernomad