Skip to main content
Version: Next

Splunk Integration

The NFO Integration for Splunk provides an enterprise-grade visibility pipeline from the network core to the application layer. Rather than sending raw, unmanaged logs, NFO delivers a structured, enriched data stream that aligns with the Splunk Common Information Model (CIM).

This integration transforms high-volume telemetry into actionable security and operational insights while significantly reducing Splunk license consumption.

1. Architecture: The Data Lifecycle

NFO serves as a high-performance pre-processor, ensuring Splunk receives only high-value, enriched events.

  1. NFO Engine: Performs deduplication, bidirectional stitching (Module 10062), and enrichment (Geo-IP, ASN, Threat Intel).
  2. TA-netflow (Add-on): Installed on Splunk to map NFO data to the Network Traffic and Malware CIM models.
  3. NetFlow Analytics App (UI): Provides unified dashboards, forensic reports, and security alerts for end-users.

2. Deployment Components

Choose the components that match your Splunk environment (Enterprise vs. Cloud) and your visibility goals:

ComponentRoleWhen to Use
TA-netflowTechnology Add-onMandatory. Required for data parsing, field extraction, and CIM compliance.
NetFlow Analytics for SplunkVisualization AppRecommended. Provides unified dashboards for security, traffic forensics, and troubleshooting.
Content Pack for ITSI / ITEWService IntelligenceOptional. For Splunk ITSI customers who want to include network health in their Service Trees.

3. Key Capabilities

  • Unified Cloud & On-Prem Visibility: Use Module 10062 to monitor on-premises hardware and VPC Flow Logs (AWS/Azure/GCP) in a single, standardized Splunk view.
  • CIM & Enterprise Security (ES) Ready: Data is natively mapped to Splunk models, allowing network telemetry to trigger detections in Splunk ES without custom coding.
  • Scalability via HEC: Supports the Splunk HTTP Event Collector (HEC) for secure, high-speed data ingestion, supporting 100Gbps+ environments with predictable indexing costs.

Installation & Operational Guides

Complete your implementation by following these specialized guides:

  • Deployment & Configuration Instructions for installing the Technology Add-on and establishing the data pipeline via HEC or Syslog.
  • Unified Dashboard Guide A guide to the NetFlow Analytics for Splunk visualization layer, featuring consolidated dashboards for traffic forensics, security monitoring, and capacity planning.
  • Content Pack for ITSI / ITEW Documentation for integrating network health scores into Splunk IT Service Intelligence service dependency trees.