Open French7 opened 6 years ago
I can confirm this problem (edgerouterX -> Splunk/linux)
The workaround for this issue it to add the following lines to IPFIXData.py file located at: /opt/splunk/etc/apps/Splunk_TA_ipfix/bin/IPFIX/
# Added in code for macAddress field, takes data as array of decimal numbers,
# converts them to hex numbers (2 digits), then joins them together by ":"
elif field.type_name == 'macAddress':
temp = data[start:start + field.length].encode('hex')
output = ":".join(temp[i:i+2] for i in range(0, len(temp), 2))
Splunk displays "--" instead of the portId and lineCardId, and "0", "16", "20", etc. instead of the MAC addresses (sourceMacAddress and destinationMacAddress). A Wireshark dump confirms that the data is correctly sent on the network, as it can interpret it.
The portId/lineCardId error comes from the unpack function that expect 8 bytes, but 4 are given.
The MAC address is never interpreted in the code, unlike ipv4 and ipv6. The script juste take the 1st byte of the decoded address.
I run Splunk on Windows.
Extract of the log:
Cheers Emile