The Splunk Add-on for Netflow appears to have a bug. If you run through the configure.sh script accept all the defaults, it refuses to ingest any Netflow data.
This is because its script deletes all ASCII netflow data that’s older than -1 day old.
You can easily fix this by either rerunning configure.sh again and typing in every value, or edit /opt/splunk/etc/apps/Splunk_TA_flowfix/bin/flowfix.sh and change the following line;
# Cleanup files older than -1
find /opt/splunk/etc/apps/Splunk_TA_flowfix/nfdump-ascii -type f -mtime +-1 -exec rm -f {} \;
Change the +-1 to +1. This tells the script to clean up all ASCII netflow data older than 1 day (ie, not everything older than some time in the future).