Installation
Pre-installation Steps
NetFlow and SNMP Analytics for Splunk App relies on *flow data processed by NetFlow Optimizer™ (NFO) and enables you to analyze it using Splunk® Enterprise or Splunk® Cloud.
To download a free trial of NetFlow Optimizer, please visit https://www.netflowlogic.com/download/ and register to receive the FREE trial license. Please see NetFlow Optimizer Installation and NetFlow Optimizer Administration Guide and follow instructions for your platform.
NetFlow data is sent to Splunk from NFO in syslog or JSON formats.
Whether you use Splunk Enterprise or Splunk Cloud, configure your Splunk Data inputs accordingly per your accepted best practices.
You need to install both NetFlow and SNMP Analytics for Splunk App and Technology Add-On for NetFlow:
- NetFlow and SNMP Analytics for Splunk App (netflow) (https://splunkbase.splunk.com/app/489/)
- Technology Add-On for NetFlow (TA-netflow) (https://splunkbase.splunk.com/app/1838/)
NFO can send data to Splunk using one of the following options:
- Directly on UDP input port of Splunk Indexer (OK for POC, but not recommended in production due to potential loss of data)
- Via Splunk HEC
- Via Splunk Forwarder
- Via rsyslog / syslog-ng and Splunk forwarders
- Via Splunk Connect for Syslog
Installing into a Splunk Cloud Deployment
You must be a Splunk Cloud administrator to install and manage apps in your Splunk Cloud deployment. The procedure for installing apps and add-ons for use with your Splunk Cloud instance depends on the type of your Splunk Cloud deployment and the version of Splunk Cloud that you are running. Please visit Splunk Cloud Platform Admin Manual for details: https://docs.splunk.com/Documentation/SplunkCloud/latest/Admin/SelfServiceAppInstall.
Installing Splunk App and TA
Install the App on your Splunk Search Heads
NetFlow and SNMP Analytics for Splunk App (netflow) is available here: (https://splunkbase.splunk.com/app/489/).
Several dashboards of the App rely on Force Directed App for Splunk for Topology View. Please make sure it is installed in your Splunk environment: https://splunkbase.splunk.com/app/3767/ to use Topology View.
This App requires the Technology Add-On for NetFlow (TA-netflow).
Install Add-on on your Splunk Search Heads, Indexers, and Heavy Forwarders��
Technology Add-On for NetFlow (TA-netflow) is available here: (https://splunkbase.splunk.com/app/1838/). This Add-on collects *flow data processed by NetFlow Optimizer™ (NFO) software by NetFlow Logic, providing Splunk CIM compliant field names, event types and tags for *flow data. The Add-on can be used with the App, Splunk Enterprise Security, Splunk ITSI, and Splunk IT Essentials Works App.
Installing into Splunk Enterprise
Technology Add-on for NetFlow Installation
This TA enables you to ingest flow data into events index or metrics index.
Choose Events index if you need access to raw events. However, this option results in slower performance.
Choose Metrics index for better performance with large volumes of flow data, but you need to use mpreview or mstats command to search and view your data.
- Events Index
- Metrics Index
By default NetFlow Optimizer events will be stored in main index. In case you want to use another index, for example flowintegrator, go to Settings->Indexes and if the [flowintegrator] index is not present click on the New Index button, enter flowintegrator
and click Save.
Alternatively, if you have SSH access to your Splunk servers, please perform the following:
Create the $SPLUNK_ROOT/etc/apps/TA-netflow/local/indexes.conf file, and add the following lines to it:
[flowintegrator]
homePath = $SPLUNK_DB/flowintegrator/db
coldPath = $SPLUNK_DB/flowintegrator/colddb
thawedPath = $SPLUNK_DB/flowintegrator/thaweddb
Set sourcetype to flowintegrator In your Data inputs
Restart Splunk
To ingest flow data into metrics index please go to Settings->Indexes and click on the New Index button, enter netflow_metrics, select Index Data Type Metrics, and click Save.
Alternatively, if you have SSH access to your Splunk servers, please perform the following:Create the $SPLUNK_ROOT/etc/apps/TA-netflow/local/indexes.conf file, and add the following lines to it:
[netflow_mterics]
coldPath = $SPLUNK_DB/netflow_mterics/colddb
datatype = metric
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB/netflow_mterics/db
maxTotalDataSizeMB = 512000
thawedPath = $SPLUNK_DB/netflow_mterics/thaweddb
Set sourcetype to netflow_metrics in your Data inputs
Restart Splunk
This Add-on has the following settings in props.conf and transforms.conf. If necessary, edit these settings to match your requirements.
props.conf
[netflow_metrics]
INDEXED_EXTRACTIONS = json
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
category = Log to Metrics
TRANSFORMS-extract_all_fields = extract_all_fields
METRIC-SCHEMA-TRANSFORMS = metric-schema:netflow_metrics
disabled = false
pulldown_type = true
KV_MODE = none
tranforms.conf
The following stanza in transforms.conf indicates which of the numeric fields should be treated as dimantions in metrics index:
[metric-schema:netflow_metrics]
METRIC-SCHEMA-MEASURES = _NUMS_EXCEPT_ nfc_id,src_port,src_asn,src_tos,src_vlan,dest_port,dest_asn,dest_tos,dest_vlan,protocol,input_snmp,output_snmp,ifIndex,ifName,ifType,ifDescr,row_num
You may see which fields are dimensions and which are metrics by running the following search:
| mcatalog values(_dims) values(metric_name) WHERE "index"="netflow_mterics"
NetFlow Analytics for Splunk App Installation
- Events Index
- Metrics Index
After installing NetFlow and SNMP Analytics for Splunk App, go to Settings->Advanced search->Search macros. Find [netflow_index] macro, click on it, and change the definition toindex=flowintegrator sourcetype=flowintegrator .
Alternatively, if you have SSH access to your Splunk servers, please perform the following:
Create the file if it does not already exist: $SPLUNK_ROOT/etc/apps/netflow/local/macros.conf, and add the following lines to it:
[netflow_index]
definition = index=flowintegrator sourcetype=flowintegrator
Restart Splunk for the changes to take effect.
If you are going to use netflow_metrics index, you can skip this section. If you are going to use a different index, then after installing NetFlow and SNMP Analytics for Splunk App, go to Settings->Advanced search->Search macros. Find [netflow_metrics_index] macro, click on it, and change the definition toindex=your_netflow_metrics sourcetype=netflow_metrics .
Alternatively, if you have SSH access to your Splunk servers, please perform the following:
Create the file if it does not already exist: $SPLUNK_ROOT/etc/apps/netflow/local/macros.conf, and add the following lines to it.
If your input data format is JSON:
[netflow_index]
definition = index=your_netflow_metric sourcetype=netflow_metrics
If your input data format is Syslog:
[netflow_index]
definition = index=your_netflow_metric sourcetype=netflow_syslog_metrics
Restart Splunk for the changes to take effect.