howardtopher
commented
6 years ago I'm getting the same thing.
[2018-07-02T14:46:07,815][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1003
Closed murrant closed 5 years ago
howardtopher
commented
6 years ago I'm getting the same thing.
[2018-07-02T14:46:07,815][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1003
howardtopher
commented
6 years ago Looks like the codec lacks support for format 1003 of sflow data as described here: sFlowV5FlowData.pdf. Would it be possible to get this format added?
landonstewart
commented
6 years ago I'm also getting tons of these for both format 1003 and 1006.
[2018-07-27T18:30:49,085][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1003
[2018-07-27T18:30:49,087][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1006
[2018-07-27T18:30:49,095][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1003
[2018-07-27T18:30:49,099][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1006
[2018-07-27T18:30:49,114][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1003
[2018-07-27T18:30:49,115][WARN ][logstash.codecs.sflow ] Unknown record entreprise 0, format 1003I've posted a pcap file to the URL below: https://www.dropbox.com/s/a8epeheccdyq3rp/sflow_data_sample.pcap
I tried editing the logstash-codec-sflow source myself (forking and editing) but the fields for format 1003 (and 1006) are more complicated than just adding uint32 type fields etc. The AS path etc confused me so I didn't get far.
landonstewart
commented
5 years ago I've also posted this issue to the elastic.co forum at:
kzemek
commented
5 years ago I'm closing this issue, as multiple sFlow extensions have been added and a couple of parsing errors have been addressed. @murrant if you still encounter the error while running the plugin from Git, I'll need a .pcap file to diagnose it and we'll reopen the issue.
This warning is getting spammed in the log file for seemingly every packet recieved. Any way to stop it?