Administration

Settings > Configuration

NetFlow Optimizer Modules

Get more value out of NetFlow by enabling additional NetFlow Optimizer (NFO) Logic Modules. By default NetFlow Optimizer is preconfigured with one Logic Module enabled – “10067: Top Traffic Monitor”. This Module fees data to most bandwidth monitoring dashboards.

By enabling and configuring other NFO Modules, you activate additional NetFlow analytics to be sent to Splunk, which are visualized in corresponding dashboards. You may enable / disable the entire Module Set or each Module, as depicted below.

To learn more about NetFlow Optimizer Modules please review NetFlow Optimizer User Guide.

Lookup Files

Optionally, you can setup the following lookup files.

1. Device Groups

Create exporters-devices.csv lookup file to group devices into logical groups, e.g. by physical location or department. Device group drop-down will be populated with the list groups from this lookup file.

For example:

nfo_hostname,exp_ip,management_ip,device_group nfo_server,10.10.10.2,192.168.63.63,Group A nfo_server,10.10.10.3,192.168.63.42,Group A nfo_server,10.10.10.4,192.168.63.53,Group A nfo_server,192.168.1.21,192.168.63.44,Group B nfo_server,192.168.1.22,192.168.63.88,Group B

Where:

nfo_hostname - is the name of NFO host exp_ip - is IP address of the device’s NetFlow exporter management_ip - is the management IP address of the device (the same as exp_ip if the device doesn't have actual management IP) device_group - is the name of the group where the device belongs

2. Watched Interfaces

Create watched-interfaces.csv lookup file to identify a list of network interfaces you would like to monitor on Watched Interfaces Utilization dashboard.

For example:

nfo_hostname,exp_ip,if_name nfo_server,10.10.10.2,Fa0/0 nfo_server,10.10.10.3,Gi0/1

Where:

nfo_hostname - is the name of NFO host exp_ip - is the exporter IP address of the device if_name - is the name of the interface (received from SNMP polling)

3. Interface Groups

Create interface-groups.csv lookup file to see traffic by network interface groups. This lookup file is used in Interface Groups dashboard.

For example:

nfo_hostname,exp_ip,if_name,if_group nfo_server,10.10.10.2,Fa0/0,Group A nfo_server,10.10.10.2,Fa0/1,Group A nfo_server,10.10.10.3,Gi0/1,Group B

Where:

nfo_hostname - is the name of NFO host exp_ip - is the exporter IP address of the device if_name - is the name of the interface (received from SNMP polling) if_group - is the name of the group where the interface belongs

4. Interface speed override

Several dashboards use network interface speed received via SNMP polling to calculate relative load of interfaces (% of Usage). If you would like to override the speed for certain interfaces, you can do so by creating the interfaces.csv lookup file.

For example:

nfo_hostname,management_ip,snmp_index,if_name,if_speed nfo_server,10.10.10.2,0,First interface,1000000 nfo_server,10.10.10.2,1,Second interface,2000000

Where:

nfo_hostname - is the name of NFO host management_ip - is the management IP address of the device (the same as exp_ip if the device doesn't have actual management IP) snmp_index - is the snmp index of the interface on the device if_name - is the name of the interface if_speed - is the speed of the interface in Kbits / sec

Visualization Parameters

The type of the charts and the stacking mode can be customized on the app level by modifying the visualisation.parameters.csv lookup file in $SPLUNK_ROOT/etc/apps/netflow/lookups/

By default it has these values :

param,value
charting.chart,area
charting.chart.stackMode,stacked

Settings > NFO Index Usage

This dashboard enables you to analyze how Splunk index is used by various NFO Modules and network devices. You can see which NFO Module is most chatty, and make configuration changes to assure you use your Splunk license wisely.

Settings > Update Device Dropdown

Most dashboards have Device dropdown (your NetFlow/sFlow exporter IPs and their SNMP names). This dropdown is populated automatically by "save_exporters" saved search which runs every 30 minutes. The SNMP related dashboards are using the management IP addresses. To refresh Device dropdown values go to Settings > Update Device Dropdown and press "Update Device lists" button.

Please visit the Documentation section of the NetFlow Logic website or simply contact us at team_splunk@netflowlogic.com should you have any questions.

Using ifAlias instead of ifName in Interfaces Dashboards

This App shows SNMP inteerface names instead of input / output SNMP indexes. This is achieved through SNMP polling. By defauls ifName is used in the dashboards. If you'd like to use ifAllias instead of ifName, perform the following.

Procedure

  1. Copy the following macro from .../default/macros.conf to .../local/macros.conf

[get_iface_name(2)]
args = result, param
definition = lookup exporters_devices_lookup nfo_hostname exp_ip OUTPUT management_ip \
| eval management_ip = if(management_ip=="Unassigned", exp_ip, management_ip) \
| lookup interfaces_lookup nfo_hostname management_ip snmp_index as $param$ OUTPUT if_name as ifname_interfaces \
| lookup interfaces_20003_lookup nfo_hostname exp_ip ifIndex as $param$ OUTPUT ifName as ifname_20003 \
| eval ifname_20003=if(ifname_20003=="unknown",$param$,ifname_20003) \
| eval $result$ = if(ifname_interfaces=="unknown",ifname_20003,ifname_interfaces) \
| eval $result$ = mvindex($result$,0)

2. In line 6 change ifName as ifname_20003 to ifAlias as ifname_20003

3. Restart Splunk