Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
924
Views
0
Helpful
4
Replies

How to export _> flow.sampling_interval ?

ty.chan007
Level 1
Level 1

‎05-29-2018 09:49 PM - edited ‎03-08-2019 03:10 PM

I am using Cisco ASR 1K .

 

I am trying to find how to export "flow.sampling_interval" value to collector in ELK.

 

please help.

 

Labels:
0 Helpful
4 Replies 4

Georg Pauwen
VIP
VIP

‎05-30-2018 12:56 AM

Hello,

 

on the ASR, I think you need to configure Netflow version 8, which has the sample interval field in the header. 

 

--> ip flow-export version 8

 

The corresponding field in your elastiflow config would be:

 

"[netflow][sampling_interval]" => "[flow][sampling_interval]"

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/xe-3s/asr1000/nf-xe-3s-asr1000-book/cfg-nflow-data-expt-xe.html#GUID-3D1F5B64-E9E5-4433-98AE-BDBF5B259BF5

 

https://github.com/robcowart/elastiflow/blob/master/logstash/elastiflow/conf.d/20_filter_20_netflow.logstash.conf

0 Helpful

ty.chan007
Level 1
Level 1
In response to Georg Pauwen

‎05-30-2018 02:13 AM

There is no option to select version 8.

Available options are:
ipfix IPFIX (Version 10)
netflow-v5 NetFlow Version 5
netflow-v9 NetFlow Version 9

any suggestion ?
0 Helpful

Georg Pauwen
VIP
VIP
In response to ty.chan007

‎05-30-2018 04:29 AM

Hello,

 

you have to configure an aggregation cache. Th examples below are an excerpt from the document linked...

 

configure terminal
!
ip flow-aggregation cache as
export destination 10.42.42.2 9991
export destination 10.42.41.1 9991
export version 8
enabled
!
interface Fastethernet0/0/0
ip flow ingress

configure terminal
!
ip flow-aggregation cache source-prefix
mask source minimum 30
enabled
!
interface Fastethernet0/0/0
ip flow ingress
!
end

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/xe-3s/asr1000/nf-xe-3s-asr1000-book.pdf

0 Helpful

ty.chan007
Level 1
Level 1
In response to Georg Pauwen

‎05-30-2018 07:07 PM

-##the version that I am using does not support those config anymore. I
have to use flow monitor command. So there is no option to netflow version
beside ipfix, v9 or v5.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card