Skip to main content
Version: Next

Dashboard Guide

This guide describes all dashboards in the NetFlow and SNMP Analytics App, organized by navigation section. Each entry opens with what the dashboard helps you do, followed by a screenshot and a panel-by-panel reference.

Looking for a dashboard from the previous app version?

Many dashboards have been consolidated. See the Legacy Dashboard Mapping section below, or refer to the 2.12.0 documentation for the full previous dashboard reference.


Overview

Network Overview

Start here when something looks wrong and you need to know where. The default landing page gives you a device-centric health summary in one screen, so you can spot the misbehaving device, the unusual traffic mix, or the active threat before drilling in. This is the first stop in the triage workflow.

Network Overview dashboard showing device metrics, traffic breakdown, and threat KPI panels

Required module: Module 10062 (Network Conversations). Falls back to Module 10067 (Top Traffic) when 10062 data is unavailable, see Top Traffic Fallback.

Filters: Site, Device Type, Device / Network, Time Range.

What it shows:

  • Row 1, Device metrics: Four panels showing device performance: Top Devices by Flows/sec, Throughput (Mbps), Packets/sec, and Average Packet Size. When a specific device is selected, these switch to time-series charts for that device. Read the four together to fingerprint device behavior: high packets with low bytes signals a small-packet flood, and a low average packet size can indicate scanning or DDoS.
  • Row 2, Traffic breakdown: Four donut charts showing Protocol mix, Top Source IPs, Top Destination IPs, and Top Destination Ports & Apps across the filtered scope. Use these to answer "what does normal look like here, and is this it?" at a glance.
  • Row 3, Known Threat Communications: Four KPI panels showing flow counts for threat traffic only (threat_list_name is populated): Inbound Allowed, Inbound Blocked, Outbound Allowed, Outbound Blocked. Red panels require investigation, green panels confirm your controls are working. Clicking any panel jumps to the Security Events dashboard with the matching filters pre-set, so you go from "there's a problem" to "here's the detail" in one click.

Network Conversations

Network Conversations

Your primary tool for answering "who is talking to whom, and about what?" One flexible dashboard replaces five older ones (Network Conversations Bidirectional, Top Applications, Top Users, Applications & Users, and By Protocol & Port). Instead of switching dashboards to change your investigation angle, you change the Group By selector and every panel re-pivots at once.

Network Conversations dashboard showing timechart, ranked bar charts, Sankey diagram, and detail table

Required module: Module 10062.

Filters: Full filter chain, plus a Group By selector between Device/Network and Source IP.

Group By controls how traffic is analyzed across all panels simultaneously, so you can move from a host-pair view to an application or user view without leaving the page:

Group ByShows
Conversation PairSource and destination host pairs
Protocol & PortDestination port and transport protocol
ApplicationApplication name from DPI or NetFlow options
UserUsername from identity enrichment

What it shows:

  • Row 1, Timechart: Traffic over time, stacked by the selected Group By dimension. Click and drag to time-brush, which filters the detail table to the selected window so you can zoom straight to the spike you care about.
  • Row 2, Primary dimension + Top Destinations: Ranked bar chart of the selected Group By dimension alongside a fixed Top Destinations panel. Titles and colors update with the Group By selection.
  • Row 3, Supporting dimensions: Two additional ranked bar charts showing the most useful context for the current investigation mode. For example, when investigating by Conversation Pair, Row 3 shows Top Applications and Top Ports.
  • Row 4, Sankey: Full-width traffic flow diagram. Source and target dimensions respond to the Group By selection: two-node for Conversation Pair, three-node chain (Source, middle dimension, Destination) for Application, User, and Protocol & Port. This is the fastest way to see the shape of traffic rather than just its ranking.
  • Row 5, Detail table: Fixed columns regardless of Group By: Device/Network, Flow Type, Session Origin, Source, Destination, Dest Port, App, Sent, Received, Rcvd/Sent %, Avg Duration, Flow Count, plus conditional User and Threat columns. Filtered by the time-brush selection. Clicking a row pre-fills the Source IP and Dest IP filters without leaving the dashboard, so you can narrow an investigation with a single click.

Security Events

Answer "are we under attack, and are our controls holding?" in one place. This dashboard consolidates threat detection and policy enforcement (replacing Cyber Threats, Top Violators, and Accepts & Rejects) so you can see malicious communications, the internal hosts involved, and what your firewalls actually blocked, side by side.

Security Events dashboard showing KPI panels, threat timechart, and tabbed threat/violator/accepts view

Required module: Module 10062 with Threat Intelligence configured in NFO.

Filters: Full filter chain.

What it shows:

  • Row 1, KPIs: Four entity-count panels: Unique Malicious IPs, Unique Victims (internal hosts that communicated with malicious IPs), Blocked Flows, and Unique Violators (distinct internal sources being blocked). These count distinct entities rather than flows, which is a more operationally useful measure of scope than the flow-count KPIs on the Overview dashboard: one noisy host generating thousands of flows still counts as one victim.
  • Row 2, Timechart: Threat events and Blocked flows on a shared time axis. Fixed, so it does not change when switching tabs. Time-brushing here filters all three tabs at once.
  • Row 3, Tabs:
    • Threats: Map of attacker countries with an enriched table including Threat List and Reputation columns, so you can prioritize by how dangerous the source is.
    • Violators: Internal sources being blocked, with Application, Dest Port, and Action columns, useful for finding misconfigured hosts or policy gaps.
    • Allows & Blocks: Four horizontal bar charts showing Allowed and Blocked traffic by conversation pair and by port, a quick way to confirm a policy is doing what you intended.

Geographic & ASN

See where your traffic actually goes in the world, and which networks it crosses. Useful for spotting traffic to countries you don't do business with, or unexpected transit through a particular autonomous system. Replaces two previous dashboards, By Country and By Autonomous System.

Geographic and ASN dashboard showing side-by-side choropleth world maps for inbound traffic by source country and outbound traffic by destination country

Required module: Module 10062.

Filters: Full filter chain, plus a Show Blocked Flows toggle and a GeoIP Source selector (NFO / Splunk).

What it shows:

  • Country Maps: Two choropleth world maps side by side, Inbound Traffic by Source Country and Outbound Traffic by Destination Country, each country shaded by traffic volume so heavy talkers stand out immediately.
  • Country Traffic: The same data as a ranked breakdown by country, when you need exact figures rather than a visual.
  • ASN Traffic: Traffic ranked by autonomous system, identifying the networks your traffic is exchanged with, for example a cloud provider, a CDN, or an unexpected hosting network.

The GeoIP Source selector chooses how IPs are resolved: NFO uses NFO's real-time GeoIP enrichment, Splunk uses Splunk's built-in MaxMind iplocation lookup. Switch between them to compare, or fall back to Splunk if NFO GeoIP enrichment is not enabled on your flows. The Show Blocked Flows toggle excludes blocked and dropped flows when set to No.

Cloud Traffic

Understand what your network sends to the public cloud, and where. When you need to know which internal hosts are driving cloud spend or reaching services in unexpected regions, this dashboard surfaces cloud provider, service, and region context that raw flow data doesn't carry. NFO adds this context from the cloud IP ranges lookup (AWS, Azure, GCP, OCI).

Cloud Traffic dashboard showing KPI panels, top services and regions bar charts, and Internal Host to Cloud Provider to Cloud Region Sankey diagram

Required module: Module 10062 with cloud enrichment configured in NFO.

Filters: Full filter chain, plus a Cloud Provider selector (All / AWS / Azure / GCP / OCI).

What it shows:

  • Row 1, KPIs: Total Cloud Traffic, Unique Cloud Endpoints, Top Cloud Provider, and Unique Cloud Regions.
  • Row 2, Top Cloud Services + Top Cloud Regions: Two horizontal bar charts showing which cloud services and regions receive the most traffic.
  • Row 3, Sankey: Three-node chain, Internal Host to Cloud Provider to Cloud Region. This answers "which internal hosts are generating traffic to which cloud providers, and where in the world are they going?" in a single view.
  • Row 4, Detail table: Standard columns plus Cloud Service and Cloud Region columns, always populated on this dashboard.

By VLAN

Confirm your segmentation is working, and catch traffic crossing VLANs it shouldn't. A quick way to verify that isolated segments stay isolated and to investigate unexpected VLAN-to-VLAN communication.

By VLAN dashboard showing traffic over time stacked by VLAN and a VLAN-to-VLAN communication detail table

Required module: Module 10062.

Filters: Full filter chain.

What it shows: Traffic over time stacked by VLAN, with a detail table showing VLAN-to-VLAN communication pairs including source and destination IPs, bytes, and flow counts. Watch for pairs that shouldn't be talking, which is often the fastest signal of a segmentation gap.

Concurrent Connections

Catch connection floods and plan capacity from real connection counts. Sudden growth in concurrent connections is an early sign of a flood or a misbehaving application, and steady growth informs sizing decisions.

Concurrent Connections dashboard showing concurrent connection count over time with a per-device breakdown and detail table

Required module: Module 10062.

Filters: Full filter chain.

What it shows: Line chart of concurrent connection count over time (total plus a breakdown by top 5 devices), with a detail table including connection state (Begin / Continuing / End) and duration. The per-device breakdown tells you not just that connections spiked, but where.


Infrastructure Health

Network Topology with Insights

See your network the way it's actually built, then walk it device by device. This dashboard arranges discovered devices into infrastructure tiers (Edge, Core, Firewall, Spine, Access, LB, Endpoint) so the shape of your network is obvious at a glance, then lets you start from any device and expand outward through its neighbors. It's built for the question "what is this device connected to, and where does it sit in the hierarchy?"

Network Topology dashboard showing devices arranged in tier bands from Edge at the top to Endpoint at the bottom, with a selected device expanded to show its neighbors

Required modules: Module 10701 (Auto-discovery Reporter) for device inventory and Module 10062 for connection data. Topology is built from the device inventory (nfc_id=20701) and the connections between devices (nfc_id=20702).

Requires Dashboard Studio 10.4. This dashboard uses the splunk.networkGraph visualization with tier-based positioning, which is a 10.4 feature. Other dashboards in the app run on earlier Splunk versions, but this one specifically needs 10.4.

Deployment

This dashboard reads node positions from a lookup that a scheduled search keeps current with your live topology, so it shows nothing until that lookup and its generator search are installed in the app. If the graph is empty, confirm with your Splunk administrator that the topology position lookup and its scheduled generator search are in place and that the generator is returning data.

Filters: Site, Device Type, Discovery Source, Time Range, Advanced Filter.

Layout: The left side has the filters, severity KPIs (Total, Low, Medium, High, Critical device counts), a searchable list of SNMP-managed devices, and the walk controls (Reset, Undo). The right side has the tiered topology graph, with a Frontier Neighbors table below it.

Reading the graph

Every device sits in a horizontal tier band according to its role in the network, with edge and core infrastructure at the top and endpoints at the bottom:

TierTypical devices
Edge / WANBorder and edge routers (BGP peers, external next-hops)
CoreCore routers
FirewallFirewalls
SpineSpine switches
AccessLeaf switches and distribution switches
LBLoad balancers
EndpointServers, wireless APs, out-of-band management switches

A device's vertical position (its tier) is stable: a spine always appears in the spine band no matter what you have walked to. Its horizontal position is not fixed, it is spread evenly among whatever devices are currently visible, which keeps the layout compact as you expand and collapse the walk.

Walking the topology

Rather than rendering every device at once (which no network graph handles well at scale), the dashboard shows a bounded set of devices around an anchor and lets you move through the network one hop at a time:

  • Set an anchor by clicking a device in the left list or a node in the graph. The graph expands to show that device and its neighbors, each in its own tier.
  • Expand the walk by clicking a row in the Frontier Neighbors table below the graph, which brings that neighbor's connections into view.
  • Reset walk clears the walk and returns to the starting state. Undo last hop steps back one expansion.

Keeping the visible set bounded to an anchor and its neighbors is what makes the graph render reliably. A full-site, all-devices view is not supported by the visualization, and the walk model is the intended way to explore a large topology.

Dragging a node expands it

In Splunk's network graph, a node drag and a node click cannot be told apart, so dragging a node acts as a click and expands it. This is a platform behavior, not a fault in the dashboard. Because node positions come from your topology data, a dragged node returns to its tier position on the next render.

How tiers are determined

NFO discovery does not report a device "role," so each device's tier is derived from how it connects to the rest of the network, using the discovery source (con_source) of its connections across the complete topology:

  • Edge: has a BGP adjacency, or a next-hop to an external (unmanaged) IP.
  • Core: routers that are not edge. Firewalls render in their own band near the core.
  • Spine: an infrastructure-only switch (no server or AP neighbors) with a Layer 3 uplink (OSPF or IP forwarding).
  • Access: a switch with endpoint neighbors, or a pure Layer 2 switch connected to a spine, plus distribution switches. Load balancers render in their own band.
  • Endpoint: servers, wireless APs, and out-of-band management switches.

Because tier is derived from connectivity, a device whose connections are only partially discovered can land in the wrong band. The position generator runs over the full topology to minimize this, and a device with sparse data falls back to a sensible default band. The discovery sources used are LLDP, CDP, and BRIDGE at Layer 2, and IP_FORWARDING, NEXT_HOP, BGP, and OSPF at Layer 3.

Network Device Health

Find your unhealthiest device fast, then see exactly why. One dashboard replaces three (Network Device Health, Interface Errors & Discards, and SNMP Devices CPU & Memory). It sorts devices worst-first and auto-selects the one most in trouble, so you land on the problem instead of hunting for it.

Network Device Health dashboard showing device list, health summary, and device detail

Required module: Module 10103 (SNMP Custom OID Sets Monitor). SNMP traps require NFO to be configured to receive and forward traps to Splunk, see SNMP Trap Inputs.

Filters: Site, Device Type, Time Range, Advanced Filter.

The left panel lists all SNMP-managed devices, sorted worst-health first, with a severity summary strip and a typeahead search box. The right panel shows full detail for the selected device. On load, and on any filter change, the worst-health device in scope is auto-selected, so the right panel is never empty and you never start from a blank screen.


Device Detail

Device Info is the identity card for the selected device, always showing the most recent poll values regardless of time range.

FieldSource
NamesysName
DescriptionsysDescr, OS version and hardware model
LocationsysLocation
UptimesysUpTimeInstance. Unexpectedly low uptime indicates an unplanned restart.
Total InterfacesifNumber
Last PollTimestamp of the most recent successful SNMP poll
Management IPmgmt_ip

Interfaces lists all interfaces for the device, sorted by health score, worst first (top 10 shown by default).

ColumnDescription
Interface NameifName
Utilization %Bandwidth utilization as a percentage of interface capacity
Rx Errors / Rx DiscardsReceive error and discard counts
Tx Errors / Tx DiscardsTransmit error and discard counts
% Packets LostErrors and discards as a percentage of total packets
Health ScorePer-interface score from 0 to 100, see Health Score

CPU & Memory shows time-series charts of CPU and memory utilization over the selected time range, each with an 80% reference line. Titles show the device's CPU and memory health scores.

Traps shows SNMP traps from the selected device (or the 20 most recent across the site when no device is selected). Traps fire the moment an event occurs, so they catch problems that happen between polls.

ColumnDescription
TimestampMost recent first
DeviceDevice name
Trap TypeSNMP trap OID
Source IPIP address that sent the trap
DescriptionHuman-readable trap description
note

SNMP traps are ingested with nfc_id=20700.


Health Score

The health score exists so you can triage by a single number instead of reading raw counters on every interface. Each interface scores 0 to 100, the average of a Packet Loss Score (errors and discards as a percentage of total packets) and a Relative Load Score (utilization at or below 70% scores 100, dropping to 0 at 100%). If only one component is available, it's used alone.

The device severity score is the lowest of interface health, CPU, and memory, so a device with healthy interfaces but 92% CPU still shows Critical. This worst-of-three approach surfaces any device with a serious problem rather than averaging it away.

ScoreSeverityColor
80 to 100Normal🟢 Green
60 to 79Low🟡 Yellow
40 to 59Medium🟠 Orange
20 to 39High🔴 Red
0 to 19Critical🟣 Purple

TCP Health

Find the hosts that are aborting connections, not just generating traffic. A host resetting a large share of its own connections often points to a failing service, a misconfiguration, or scanning behavior that raw volume charts miss. This dashboard ranks hosts by TCP resets and, importantly, by the share of their own connections being reset, using the definitive exporter that sees the most resets for each host to keep counts accurate.

TCP Health dashboard showing TCP resets over time by source host, top source hosts and exporters by resets, resets by site, and sources ranked by percent of connections reset

Required module: Module 10060.

Filters: Site, Device Type, Device, Time Range, Advanced Filter (SPL).

What it shows:

  • TCP Resets Over Time by Source Host (top 8): Stacked area chart tracking reset volume for the eight highest hosts over the selected time range.
  • Top Source Hosts by TCP Resets: Hosts ranked by total reset count.
  • Top Exporters / Devices by Resets: The devices reporting the most resets, useful for locating where resets are observed.
  • Resets by Site: Reset totals grouped by site.
  • Sources by % of Connections Reset (min 5 resets): Hosts ranked by the share of their own connections that were reset (the local_share field), filtered to hosts with at least 5 resets. A high percentage points to a host aborting most of its own connections rather than one simply generating high traffic, which is the signal that usually matters.

Administration

Setup & Configuration

The checklist that gets the app showing data. This built-in reference page walks through bringing the app online in three ordered steps, configure the NFO modules that produce the data, install and verify the TA-netflow add-on, and set up the app itself. Each step depends on the one before it, so work top to bottom.

The page includes a feature-to-module reference showing which NFO module powers each part of the app, handy when a dashboard is empty and you need to know which module to enable:

Feature in this appRequired NFO module
Network Conversations (primary)10062 (Network Conversations Monitor)
Top Traffic (legacy fallback only)10067 (Top Traffic Monitor)
Network Topology10701 (Auto-discovery Reporter)
Device Health10003 / 10103 (SNMP Custom OID Sets / Polling)
TCP Health10060 (TCP Health Monitor)

It also documents a sampling requirement: enable byte multiplication by sampling rate inside Module 10062 so bytes are pre-multiplied at collection time. The app uses byte values as-is and does not apply a query-time sampling lookup, so if 10062 is not pre-multiplying, your traffic volumes will read low.

Data Volume by Site

See what NFO data is costing you in Splunk ingest, and where it comes from. When you need to trim ingest or explain a spike, this dashboard breaks estimated volume down by site, device/network, and NFO module, dimensions the Splunk Monitoring Console cannot break out on its own.

Data Volume by Site dashboard showing total ingest KPIs, data volume over time by module, and volume ranked by site, module, and device/network

Required module: Any NFO module sending data to Splunk.

Filters: Full filter chain (Site, Device Type, Device / Network, Global Time Range).

What it shows:

  • Row 1, KPIs: Total Data Volume, Sites, and Devices / Networks.
  • Row 2, Data Volume Over Time by Module (MB): Stacked area chart of ingest volume over time, split by NFO module, so you can see which module drove a change and when.
  • Row 3, Volume by Site, Volume by NFO Module, and Top 10 Devices / Networks by Volume: Three panels ranking ingest volume by each dimension, for finding the biggest contributors quickly.

Volume is estimated from event size (len(_raw)), not a metered byte count. For authoritative license and disk figures, use Splunk's Monitoring Console under Indexing, License Usage. Longer time ranges scan more raw data and run slower.


Top Traffic Fallback

When Module 10062 (Network Conversations) data is not available but Module 10067 (Top Traffic) data is present, the Network Conversations and Network Overview dashboards render in degraded mode:

  • A persistent, non-dismissible banner indicates degraded mode is active and links to Module 10062 setup instructions.
  • Group By options for Application and User are suppressed, since these fields are not available in Top Traffic data.
  • Panels requiring 10062-only fields (Application, User, Session Origin, Duration) are replaced with an explanatory message.
  • The detail table shows only 10067-compatible columns. The percent_of_total field (native to 10067) replaces the Received and Rcvd/Sent % columns.

No dedicated Top Traffic dashboards exist in the navigation. All other flow dashboards (Security Events, Geographic & ASN, Cloud Traffic, By VLAN, Concurrent Connections, By Duration) require Module 10062 and show a "Module 10062 required" message if data is absent. They do not attempt a 10067 fallback.


Legacy Dashboard Mapping

Previous DashboardReplaced By
Network Conversations BidirectionalNetwork Conversations
Network Conversations Top ApplicationsNetwork Conversations (Group By: Application)
Network Conversations Top UsersNetwork Conversations (Group By: User)
Network Conversations Apps & UsersNetwork Conversations (Group By: Application or User)
Network Conversations By Protocol & PortNetwork Conversations (Group By: Protocol & Port)
Network Conversations Cyber ThreatsSecurity Events, Threats tab
Network Conversations Top ViolatorsSecurity Events, Violators tab
Network Conversations Accepts & RejectsSecurity Events, Allows & Blocks tab
Network Conversations By CountryGeographic & ASN (View: Geographic)
Network Conversations By Autonomous SystemGeographic & ASN (View: ASN)
Network Device HealthNetwork Device Health, Overview tab
Interface Errors & DiscardsNetwork Device Health, Device Detail, Interface Health
SNMP Devices CPU & MemoryNetwork Device Health, Device Detail, CPU & Memory
All Hosts, Applications, Cloud, Firewalls dashboardsNetwork Conversations or Cloud Traffic
All _ts, _metrics, _si variantsRetired, not replaced

For documentation on dashboards not listed here, refer to the 2.12.0 documentation.