Unsupported sFlow Structures
SYMPTOM
The log indicates that the Unified Flow Collector cannot process a sFlow record because it has enterprise-specific information that is not supported. For example:
{"level":"error","ts":"2023-06-09T02:50:20.427Z","logger":"flow_processor","caller":"flowprocessor/flow.go:75","msg":"failed to process record","code":"processor/process-record-error","reason":"sFlow v5: could not decode samples: flow struct not supported - enterprise: 25506, format: 1003","stacktrace":"github.com/elastiflow/flowcoll/pkg/processors/flowprocessor.(*FlowProcessor).decodePacket\n\t/tmp/flowcoll/pkg/processors/flowprocessor/flow.go:75\ngithub.com/elastiflow/flowcoll/pkg/processors/flowprocessor.(*FlowProcessor).Run\n\t/tmp/flowcoll/pkg/processors/flowprocessor/flow.go:44"}
PROBLEM
The collector received an sFlow Structure that is does not recognize. This is usually due to a vendor sending its own enterprise-specific structure. Prior to version 6.3.0
, the collector would log the above error when it encountered an unknown sFlow strucuture. As of the release of 6.3.0
the collector graciously ignore unsupported sFlow structures, without logging an error, and will process as much of the available structures that it can.
SOLUTION
Update the collector to version 6.3.0
or newer to graciously ignore unsupported sFlow structures. To add support for a specific sFlow Structure, contact support@elastiflow.com. You will need to supply a PCAP of the records that contain the structure and documentation from the vendor about the contents of the structure.