Get more value out of NetFlow by enabling additional NetFlow Optimizer (NFO) Logic Modules. By default NetFlow Optimizer is preconfigured with one Logic Module enabled – “10067: Top Traffic Monitor”. This Module fees data to most bandwidth monitoring dashboards.
By enabling and configuring other NFO Modules, you activate additional NetFlow analytics to be sent to Splunk, which are visualized in corresponding dashboards. You may enable / disable the entire Module Set or each Module, as depicted below.
To learn more about NetFlow Optimizer Modules please review NetFlow Optimizer User Guide.
Optionally, you can setup the following lookup files.
exporters-devices.csv lookup file to group devices into logical groups, e.g. by physical location or department. Device group drop-down will be populated with the list groups from this lookup file.
nfo_hostname - is the name of NFO host exp_ip - is IP address of the device’s NetFlow exporter management_ip - is the management IP address of the device (the same as exp_ip if the device doesn't have actual management IP) device_group - is the name of the group where the device belongs
watched-interfaces.csv lookup file to identify a list of network interfaces you would like to monitor on Watched Interfaces Utilization dashboard.
nfo_hostname - is the name of NFO host exp_ip - is the exporter IP address of the device if_name - is the name of the interface (received from SNMP polling)
interface-groups.csv lookup file to see traffic by network interface groups. This lookup file is used in Interface Groups dashboard.
nfo_hostname - is the name of NFO host exp_ip - is the exporter IP address of the device if_name - is the name of the interface (received from SNMP polling) if_group - is the name of the group where the interface belongs
Several dashboards use network interface speed received via SNMP polling to calculate relative load of interfaces (% of Usage). If you would like to override the speed for certain interfaces, you can do so by creating the
interfaces.csv lookup file.
nfo_hostname - is the name of NFO host management_ip - is the management IP address of the device (the same as exp_ip if the device doesn't have actual management IP) snmp_index - is the snmp index of the interface on the device if_name - is the name of the interface if_speed - is the speed of the interface in Kbits / sec
The type of the charts and the stacking mode can be customized on the app level by modifying the
visualisation.parameters.csv lookup file in
By default it has these values :
This dashboard enables you to analyze how Splunk index is used by various NFO Modules and network devices. You can see which NFO Module is most chatty, and make configuration changes to assure you use your Splunk license wisely.
Most dashboards have Device dropdown (your NetFlow/sFlow exporter IPs and their SNMP names). This dropdown is populated automatically by "save_exporters" saved search which runs every 30 minutes. The SNMP related dashboards are using the management IP addresses. To refresh Device dropdown values go to Settings > Update Device Dropdown and press "Update Device lists" button.
This App shows SNMP inteerface names instead of input / output SNMP indexes. This is achieved through SNMP polling. By defauls ifName is used in the dashboards. If you'd like to use ifAllias instead of ifName, perform the following.
Copy the following macro from
[get_iface_name(2)]args = result, paramdefinition = lookup exporters_devices_lookup nfo_hostname exp_ip OUTPUT management_ip \| eval management_ip = if(management_ip=="Unassigned", exp_ip, management_ip) \| lookup interfaces_lookup nfo_hostname management_ip snmp_index as $param$ OUTPUT if_name as ifname_interfaces \| lookup interfaces_20003_lookup nfo_hostname exp_ip ifIndex as $param$ OUTPUT ifName as ifname_20003 \| eval ifname_20003=if(ifname_20003=="unknown",$param$,ifname_20003) \| eval $result$ = if(ifname_interfaces=="unknown",ifname_20003,ifname_interfaces) \| eval $result$ = mvindex($result$,0)
2. In line 6 change
ifName as ifname_20003 to
ifAlias as ifname_20003
3. Restart Splunk