Hi,
Having a setup that forward IPFIX to Splunk.
I am not able to search for dropped packages ?
Some major vendors use the standard “forwardingStatus” or “fwd_status” field (ElementID 89) to indicate dropped packets in their IPFIX implementations
Is dropped traffic not sent by IPFIX ?
Ipfix does not have a static data model, but instead exchanges templates from the network device to the colllector describing the “information elements” it will be sending. If you do a packet capture on the IPFIX stream you will be able to see these templates. They will show you exactly which fields Mikrotik sends.