Configuration
Configuration > App Setup
This App (netflow) (https://splunkbase.splunk.com/app/489/) relies on *flow data processed by NetFlow Optimizer™ (NFO) and enables you to analyze it using Splunk® Enterprise or Splunk® Cloud.
The App should be installed on your Splunk Search Heads.
This App requires the Technology Add-On for NetFlow (TA-netflow) (https://splunkbase.splunk.com/app/1838/). This Add-on collects *flow data processed by NetFlow Optimizer™ (NFO) software by NetFlow Logic, providing Splunk CIM compliant field names, eventtypes and tags for *flow data.
Install this Add-on on your Splunk Search Heads, Indexers, and Heavy Forwarders.
1. App Configuration
To use a different index from the default main or continue using a custom index for your NetFlow events, please perform the following on your searchheads:
In Settings->Advanced search->Search macros find the “netflow index” macro, click on it and change the value in the Definition field
from: sourcetype=flowintegrator
to: index=flowintegrator sourcetype=flowintegrator
2. NOTE: Most dashboards have Device dropdowns (your NetFlow/sFlow exporter IPs and their SNMP names). These dropdowns are populated automatically by saved searches which are running every 30 minutes. To refresh Device dropdown values, press button.
3. Lookup Files
This App contains the following lookup files, populated by savedsearches:
CSV File | Description |
---|---|
sampling.csv | contains sampling rate for devices reporting sFlow or sampled NetFlow/IPFIX |
interfaces_20003.csv | contains SNMP information about network devices and interfaces such as device name, interface name, alias, and speed |
mgmt_ip.csv | contains a cached list of mgmt_ip values for "Device managmenet ip" drop down |
nfo_exp-group_exp.csv | nfo_exp-group_exp.csv (contains cached values for the following dropdowns: "NFO hostnames"/"Device group"/"Device (Exporter)" |
nfo_vpc_exp.csv | contains cached values for these dropdowns "NFO hostnames"/"Exporter (VPC)" on the AWS dashboards |
nfo_gcp_project_vpc_subnet.csv | contains cached values for these dropdowns "NFO hostnames"/"Project ID"/"Exporter (Project ID/VPC/Subnet)" on the Google Cloud dashboards |
Optionally, you can setup the following lookup files.
1. Device Groups
Create exporters-devices.csv
lookup file to group devices into logical groups, e.g. by physical location or department. Device group drop-down will be populated with the list groups from this lookup file.
For example:
nfo_hostname,exp_ip,management_ip,device_group,caption
nfo_server,10.10.10.2,192.168.63.63,"Group A","Cisco ASR 1k SFO"
nfo_server,10.10.10.3,192.168.63.42,"Group A","Cisco Cat 8500 SFO"
nfo_server,10.10.10.4,192.168.63.53,"Group A","Cisco Cat 8500 LAX"
nfo_server,192.168.1.21,192.168.63.44,"Group B","Palo Alto PA-7080"
nfo_server,192.168.1.22,192.168.63.88,"Group B","Palo Alto PA-5280"
Where:
nfo_hostname - is the name of NFO host
exp_ip - is IP address of the device’s NetFlow exporter
management_ip - is the management IP address of the device (the same as exp_ip if the device doesn't have actual management IP)
device_group - is the name of the group where the device belongs
caption - device description used in Device drop-down on Interface Errors and Discards dashboard
Create and import this csv files to Splunk by going to Settings->Lookups->Lookup table files and click on New Lookup Table File, after that upload the lookup file, save it with the same file name.
2. Watched Interfaces
Create watched-interfaces.csv
lookup file to identify a list of network interfaces you would like to monitor on Watched Interfaces Utilization dashboard.
For example:
nfo_hostname,exp_ip,if_name
nfo_server,10.10.10.2,Fa0/0
nfo_server,10.10.10.3,Gi0/1
Where:
nfo_hostname - is the name of NFO host
exp_ip - is the exporter IP address of the device
if_name - is the name of the interface (received from SNMP polling)
Create and import this csv files to Splunk by going to Settings->Lookups->Lookup table files and click on New Lookup Table File, after that upload the lookup file, save it with the same file name.
3. Interface Groups
Create interface-groups.csv
lookup file to see traffic by network interface groups. This lookup file is used in Interface Groups dashboard.
For example:
nfo_hostname,exp_ip,if_name,if_group
nfo_server,10.10.10.2,Fa0/0,Group A
nfo_server,10.10.10.2,Fa0/1,Group A
nfo_server,10.10.10.3,Gi0/1,Group B
Where:
nfo_hostname - is the name of NFO host
exp_ip - is the exporter IP address of the device
if_name - is the name of the interface (received from SNMP polling)
if_group - is the name of the group where the interface belongs
Create and import this csv files to Splunk by going to Settings->Lookups->Lookup table files and click on New Lookup Table File, after that upload the lookup file, save it with the same file name.
4. My Subnets
Several dashboards (e.g. Microsegmentation Analyzer and Planning, Traffic Analyzer and Planning (based on my-subnets.csv lookup)) enable you to analyze traffic based on your subnets. Create my-subnets.csv
lookup file to use these dashboards. It allows you to specify and select subnets within subnets up to four levels.
For example:
subnet,level_1,level_2,level_3,level_4,description
10.0.5.0/29,ClassA,ClassA1,ClassA11,ClassA111,ClassAsubnet111
10.0.5.8/29,ClassA,ClassA1,ClassA11,ClassA112,ClassAsubnet112
10.0.5.16/28,ClassA,ClassA1,ClassA12,ClassA121,ClassAsubnet121
10.0.5.32/27,ClassA,ClassA1,ClassA12,ClassA122,ClassAsubnet122
10.0.5.64/26,ClassA,ClassA2,ClassA21,ClassA211,ClassAsubnet211
10.0.5.128/27,ClassA,ClassA2,ClassA21,ClassA212,ClassAsubnet212
10.0.5.160/27,ClassA,ClassA2,ClassA22,ClassA221,ClassAsubnet221
10.0.5.192/26,ClassA,ClassA2,ClassA22,ClassA222,ClassAsubnet222
172.16.0.0/12,ClassB,ClassB1,ClassB11,ClassB111,ClassBsubnet111
192.168.0.0/16,ClassC,ClassC1,ClassC11,ClassC111,ClassCsubnet111
100::/18,IPv6_1,IPv6_11,IPv6_111,IPv6_1111,IPv6_1_subnet
104::/18,IPv6_2,IPv6_21,IPv6_211,IPv6_2111,IPv6_2_subnet
108::/18,IPv6_3,IPv6_31,IPv6_311,IPv6_3111,IPv6_3_subnet
10c::/18,IPv6_4,IPv6_41,IPv6_411,IPv6_4111,IPv6_4_subnet
5. Interface speed override
Several dashboards use network interface speed received via SNMP polling to calculate relative load of interfaces (% of Usage). If you would like to override the speed for certain interfaces, you can do so by creating the interfaces.csv
lookup file.
For example:
nfo_hostname,management_ip,snmp_index,if_name,if_speed
nfo_server,10.10.10.2,0,First interface,1000000
nfo_server,10.10.10.2,1,Second interface,2000000
Where:
nfo_hostname - is the name of NFO host
management_ip - is the management IP address of the device (the same as exp_ip if the device doesn't have actual management IP)
snmp_index - is the snmp index of the interface on the device
if_name - is the name of the interface
if_speed - is the speed of the interface in Kbits / sec
Create and import this csv files to Splunk by going to Settings->Lookups->Lookup table files and click on New Lookup Table File, after that upload the lookup file, save it with the same file name.
Configuration > TA-netflow App Setup
This technology add-on should be installed on your Splunk Search Head, Indexers, and Heavy Forwarders. In previous versions NFO events were inserted into index [flowintegrator]. To use or continue using custom index for your *flow data, please perform the following:
In Splunk Go to Settings->Indexes and if the [flowintegrator] index is not present click on the New Index button, enter
flowintegrator
into the Index Name field and click Save.
Alternatively, if you have SSH access to your Splunk servers, please perform the following:
-
Create the file if it does not already exist:
$SPLUNK_ROOT/etc/apps/TA-netflow/local/indexes.conf
and add the following lines to it:
[flowintegrator]
homePath = $SPLUNK_DB/flowintegrator/db
coldPath = $SPLUNK_DB/flowintegrator/colddb
thawedPath = $SPLUNK_DB/flowintegrator/thaweddb -
Restart Splunk
Configuration > NFO Configuration
Get more value out of NetFlow by enabling additional NetFlow Optimizer (NFO) Logic Modules. By default NetFlow Optimizer is preconfigured with one Logic Module enabled – “10067: Top Traffic Monitor”. This Module fees data to most bandwidth monitoring dashboards.
By enabling and configuring other NFO Modules, you activate additional NetFlow analytics to be sent to Splunk, which are visualized in corresponding dashboards. You may enable / disable the entire Module Set or each Module, as depicted below.
To learn more about NetFlow Optimizer Modules please review NetFlow Optimizer User Guide.
Visualization Parameters
The type of the charts and the stacking mode can be customized on the app level by modifying the visualisation.parameters.csv
lookup file in $SPLUNK_ROOT/etc/apps/netflow/lookups/
By default it has these values :
param,value
charting.chart,area
charting.chart.stackMode,stacked
Configuration > NFO Index Usage
This dashboard enables you to analyze how Splunk index is used by NFO instances, various NFO Modules, and network devices. You can see which NFO Module is most chatty, and make configuration changes to assure you use your Splunk license wisely.
Using ifAlias instead of ifName in Interfaces Dashboards
This App shows SNMP inteerface names instead of input / output SNMP indexes. This is achieved through SNMP polling. By defauls ifName is used in the dashboards. If you'd like to use ifAllias instead of ifName, perform the following.
Procedure
- Copy the following macro from
.../default/macros.conf
to.../local/macros.conf
[get_iface_name(2)]
args = result, param
definition = lookup exporters_devices_lookup nfo_hostname exp_ip OUTPUT management_ip \
| eval management_ip = if(management_ip=="Unassigned", exp_ip, management_ip) \
| lookup interfaces_lookup nfo_hostname management_ip snmp_index as $param$ OUTPUT if_name as ifname_interfaces \
| lookup interfaces_20003_lookup nfo_hostname exp_ip ifIndex as $param$ OUTPUT ifName as ifname_20003 \
| eval ifname_20003=if(ifname_20003=="unknown",$param$,ifname_20003) \
| eval $result$ = if(ifname_interfaces=="unknown",ifname_20003,ifname_interfaces) \
| eval $result$ = mvindex($result$,0)
2. In line 6 change ifName as ifname_20003
to ifAlias as ifname_20003
3. Restart Splunk