NTA by default does not report on all traffic flows, only what it considers to be interesting. What does it consider to be interesting?
Go to your NTA settings, then look at "Applications and Service Ports - Choose the applications and ports that you want to monitor". This is a list of everything that is currently monitored. You can choose what it does/doesn't monitor here and even add new application and service ports that might be relevant to your environment. If you'd rather just monitor all ports regardless of what is on that page, go back to the main NTA settings page and look for the "Enable data retention for traffic on unmonitored ports" and check that.
You might also need to go to "Monitored Protocols" to see what protocols are being monitored.
Why don't they monitor everything by default? Saves on database space and makes reporting quicker.
We did go to settings and select monitor all ports. We wanted to do this in the begging so we could start to label traffic. The flows that it is missing are standard protocols. Port 445 for cifs. As a test I installed realtime netflow analyzer and selected my machine as an endpoint and then did things like RDP, file transfers, etc. SolarWinds NTA does not show the same thing as the realtime traffic analyzer does. When it does pickup traffic the "total traffic' is usually in correct. For instance I transferred 3 GB of data and it saw 10mgs between my machine and file server.
I am only monitoring traffic input. From what I understand that should get everything.
Ah, didn't know that. Going out on a limb here and guessing you might have a Layer-3 image installed on your switch? If so, can you describe the topology a bit? Are the source and destinations of the traffic your monitoring on the switch itself? Are the source/destination on the same subnet or different subnets? Are you configuring all interfaces with the netflow commands? What about the Layer-2 VLANS?
I haven't worked at all with Netflow on a 3850 much, but from what I'm reading you probably want to configure up your netflow template on the inbound direction of each interface that traffic might pass over. It's possible you might need to configure it on your L-3 and L-2 VLAN interfaces, which appears to be supported on this platform.
I know on the 6500's by default you only see the traffic that isn't Layer-3 switched, until you configure some mls commands I think. Quite often the only traffic you see is that going to from the router, like telnet/ssh/snmp/etc until you get it configured right. From the 3850 features, it sounds like this might not be the case with the 3850's though, I definitely don't see it in the IOS commands right now.
Unfortunately the only 3850 I have available is in a low traffic area, so I’m not sure if what I’m seeing in our config is all the netflow we should be seeing or not. I am seeing some flows reach over 10Mb though. Our configuration is very similar to yours…