This technology add-on (TA) collects flow data (NetFlow, IPFIX, sFlow, etc.), including cloud flow logs (AWS, Azure, Google Cloud, Oracle), and SNMP data processed by NetFlow Optimizer™ (NFO) software.
**This TA requires NetFlow Optimizer to function properly.
It can be deployed in your Splunk Enterprise or Splunk Cloud environments.
This data is then visualized by:
• Netflow Analytics for Splunk App (https://splunkbase.splunk.com/app/489/)
• Splunk ITSI and ITEW with Content Pack for SNMP and NetFlow (https://splunkbase.splunk.com/app/7712)
• Splunk App for Enterprise Security (https://splunkbase.splunk.com/app/263/).
Start Your Free NFO Trial and learn more at https://www.netflowlogic.com/netflow-optimizer/
Technology Add-on for Netflow relies on flow data and SNMP data processed by NetFlow Optimizer and enables you to analyse it using Splunk® Enterprise or Splunk Cloud.
It provides CIM compliant field names, eventtypes and tags for NetFlow Optimizer data.
The Add-on can also be used to generate sample events for testing purposes, it contains samples of netflow data and config files for the event generator.
Setup after installation - Splunk Enterprise:
- The TA-netflow is expecting that the sourcetype of events sent from Netflow Optimizer would be set to "flowintegrator". To set it up please create the $SPLUNK_ROOT/etc/apps/TA-netflow/local/inputs.conf file, and add the following lines to it:
[udp://10514]
sourcetype = flowintegrator
- By default NetFlow Optimizer events will be stored in main index. In case you want to use another index, please create the $SPLUNK_ROOT/etc/apps/TA-netflow/local/indexes.conf file, and add the following lines to it:
[flowintegrator]
homePath = $SPLUNK_DB/flowintegrator/nfi_traffic/db
coldPath = $SPLUNK_DB/flowintegrator/nfi_traffic/colddb
thawedPath = $SPLUNK_DB/flowintegrator/thaweddb
You also need to make sure your $SPLUNK_ROOT/etc/apps/TA-netflow/local/inputs.conf file contains the following:
[udp://10514]
sourcetype = flowintegrator
index = flowintegrator
Restart splunk for the configuration changes to take effect.
Setup after installation - Splunk Cloud:
- Set up the forwarding to your Cloud Instance, the recommended method can be found here:
https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/HowtoforwarddatatoSplunkCloud
- The TA-netflow is expecting that the sourcetype of events sent from Netflow Optimizer would be set to "flowintegrator". To set it up, on the UF forwarding to the Splunk Cloud please create the $SPLUNK_UF_ROOT/etc/system/local/inputs.conf file if it does not exist, and add the following lines to it:
[udp://10514]
sourcetype = flowintegrator
- [Optional] By default NetFlow Optimizer events will be stored in main index. In case you want to use another index, please create the index based on these instructions:
https://docs.splunk.com/Documentation/SplunkCloud/latest/User/Manageindexes
On the UF forwarding to the Splunk Cloud please create the $SPLUNK_UF_ROOT/etc/system/local/inputs.conf file if it does not exist, and add the following lines to it, assuming that the new index was named flowintegrator:
[udp://10514]
sourcetype = flowintegrator
index = flowintegrator
Further documentation can be found at: NetFlow Analytics for Splunk User Manual
To contact NetFlow Logic support, please visit: NetFlow Logic Support page
