Dashboard Guide
This guide describes all 18 dashboards in the NetFlow and SNMP Analytics App, organized by navigation section. Each dashboard uses the standardized filter chain — see App Overview for the full filter standard.
Many dashboards have been consolidated. See the Legacy Dashboard Mapping section below, or refer to the 2.12.0 documentation for the full previous dashboard reference.
Overview
Network Overview
Default landing page. Device-centric network health summary — the first stop in the triage workflow.
Required module: Module 10062 (Network Conversations). Falls back to Module 10067 (Top Traffic) when 10062 data is unavailable — see Top Traffic Fallback.
Filters: Site → Device Type → Device / Network → Time Range.
What it shows:
- Row 1 — Device metrics: Top 10 devices by Flows/sec, Throughput (Mbps), Packets/sec, and Average Packet Size. Use these four panels together to fingerprint device behavior — high packets + low bytes signals a small-packet flood; low average packet size may indicate scanning or DDoS.
- Row 2 — Traffic breakdown: Protocol mix, Top Source IPs, Top Destination IPs, and Top Destination Ports & Apps across the filtered scope.
- Row 3 — Threat flow counts: Four KPI panels showing flow counts for threat traffic only (
threat_list_nameis populated): Inbound Allowed, Inbound Blocked, Outbound Allowed, Outbound Blocked. Red panels require investigation; green panels confirm controls are working. Clicking any panel navigates to the Security Events dashboard with the appropriate direction and action filters pre-set.
Network Conversations
Network Conversations
Primary traffic investigation dashboard. Replaces five previous dashboards: Network Conversations Bidirectional, Top Applications, Top Users, Applications & Users, and By Protocol & Port.
Required module: Module 10062.
Filters: Full filter chain, plus Group By selector.
Group By controls how traffic is analyzed across all panels simultaneously:
| Group By | Shows |
|---|---|
| Conversation Pair | Source → Destination host pairs |
| Protocol & Port | Destination port and transport protocol |
| Application | Application name from DPI or NetFlow options |
| User | Username from identity enrichment |
What it shows:
- Row 1 — Timechart: Traffic over time, stacked by the selected Group By dimension. Click and drag to time-brush — filters the detail table to the selected window.
- Row 2 — Primary dimension + Top Destinations: Ranked bar chart of the selected Group By dimension alongside a fixed Top Destinations panel. Titles and colors update with Group By selection.
- Row 3 — Supporting dimensions: Two additional ranked bar charts showing the most analytically useful context for the current investigation mode (e.g. when investigating by Conversation Pair, Row 3 shows Top Applications and Top Ports).
- Row 4 — Sankey: Full-width traffic flow diagram with Direction selector (Inbound / Internal / Outbound). Source and target dimensions respond to Group By selection.
- Row 5 — Detail table: Conversation-level detail filtered by time-brush selection. Clicking a row pre-fills Source IP and Dest IP filters for focused investigation without leaving the dashboard.
Security Events
Threat detection and policy enforcement investigation. Replaces three previous dashboards: Cyber Threats, Top Violators, and Accepts & Rejects.
Required module: Module 10062 with Threat Intelligence configured in NFO.
Filters: Full filter chain.
What it shows:
- Row 1 — KPIs: Unique Malicious IPs, Unique Victims, Denied/Dropped Flows, Unique Violators. These are distinct entity counts — more operationally focused than the flow-count KPIs on the Overview dashboard.
- Row 2 — Timechart: Threat events and Denied/Dropped flows on a shared time axis. Time-brush filters all three tabs simultaneously.
- Row 3 — Tabs:
- Threats — Map of attacker countries with enriched table including Threat List and Reputation columns.
- Violators — Internal sources being blocked, with Application, Dest Port, and Action columns.
- Allows & Blocks — Four horizontal bar charts showing accepted and blocked traffic by direction.
Geographic & ASN
Geographic and autonomous system traffic analysis. Replaces two previous dashboards: By Country and By Autonomous System.
Required module: Module 10062.
Filters: Full filter chain, plus View selector (Geographic / ASN) and GeoIP Source toggle (NFO fields / Splunk iplocation).
What it shows: Choropleth map of traffic by country with drill-down to conversation detail, switchable to ASN bar chart view. The GeoIP Source toggle allows comparison between NFO's built-in GeoIP enrichment and Splunk's iplocation function.
By VLAN
VLAN-level traffic segmentation analysis.
Required module: Module 10062.
Filters: Full filter chain.
What it shows: Traffic over time stacked by VLAN, with a detail table showing VLAN-to-VLAN communication pairs including source/destination IPs, bytes, and flow counts.
Concurrent Connections
Active connection count over time. Use for capacity planning and connection flood detection.
Required module: Module 10062.
Filters: Full filter chain.
What it shows: Line chart of concurrent connection count over time (total + breakdown by top 5 devices), with a detail table including connection state (Begin / Continuing / End) and duration.
By Duration
Long-running session detection. Primary use cases: data exfiltration, tunneling, persistent C2 connections, and capacity planning.
Required module: Module 10062.
Filters: Full filter chain.
What it shows: Top 20 conversations by average duration (horizontal bar chart, color intensity by bytes), with a detail table surfacing long-lived sessions. state=C (Continuing) flows are highlighted — these are active sessions that have not yet terminated and are the most relevant for exfiltration and C2 detection.
Infrastructure Health
Network Topology
Interactive network topology visualization with semantic zoom, device detail on click, and path trace between endpoints. Uses Splunk Dashboard Studio's native splunk.networkgraph visualization (requires Splunk 10.4+).
Required modules: Module 10701 (Auto-discovery Reporter).
Filters: Site (multiselect), Device Type, Device, Discovery Source (L2 / L3 / NEXT_HOP), Source IP, Dest IP.
Two modes:
Topology Browser — Three levels of abstraction:
- Level A (Multi-site): Each site shown as a single node. Node size = device count; color = worst health status across all devices in that site. Edges show inter-site connections only. Click a site to drill into Level B.
- Level B (Device clusters within a site): Devices clustered by type (Router, Switch, Firewall, etc.) in a force layout. Node color = device health status. Click any device to drill into Level C.
- Level C (Device and neighbors): Selected device and all direct neighbors (up to 30 nodes). Edge colors indicate connection type: L2 (blue), L3 (purple), NEXT_HOP (pink). Parallel edges shown when the same device pair has both L2 and L3 connections. Edge tooltips show the underlying discovery protocol (LLDP, CDP, BRIDGE).
Clicking any device node opens a detail panel (slides in from the right, does not replace the canvas) showing:
- Device summary: name, type, site, management IP, location, status.
- Worst interfaces: top 5 by error and discard rate, with time-series drill-down to Network Device Health.
- Top NetFlow conversations through the device, with drill-down to Network Conversations.
Path Trace mode — activated when both Source IP and Dest IP are set. Renders a linear hop chain between endpoints with health indicators per hop. Unmanaged segments appear as gaps with a visual indicator.
Default state: Empty canvas with prompt — "Select a Site to browse topology, or enter Source IP and Destination IP to trace a path between endpoints."
Network Device Health
Unified SNMP device health dashboard. Replaces three previous dashboards: Network Device Health, Interface Errors & Discards, and SNMP Devices CPU & Memory.
Required modules: Module 10103 (SNMP Polling Rules) or Module 10003 (SNMP Custom OID Sets Monitor).
Filters: SNMP filter chain (Site → Device Type → Device → Time Range).
Three tabs:
- Overview — Device list sorted by health score (worst first). Columns: Site, Device Name, Device Type, Management IP, Location, Status, Min Health Score. Click any device to select it — a banner confirms the selection and prompts you to switch tabs.
- Interface Health — Available after selecting a device. Interface table with error and discard counts and % packets lost. Click an interface to view a time-series chart of errors and discards over time.
- CPU & Memory — Available after selecting a device. CPU and memory utilization over time with an 80% reference line on both charts.
Selecting a new Site or Device Type clears the device and interface selection. Switching tabs does not clear the selection.
TCP Health
TCP session health metrics — retransmissions, round-trip time, and out-of-order segments.
Required module: Module 10060.
Filters: SNMP filter chain (Site → Device Type → Device → Time Range).
Configuration
Setup
Initial app setup wizard — configure the netflow_index macro and verify data connectivity.
Configuration
Advanced app configuration settings.
TA-netflow App Setup
Links directly to the TA-netflow app configuration page in Splunk.
Index Usage
NFO data volume and index usage statistics — useful for Splunk license monitoring and capacity planning.
Top Traffic Fallback
When Module 10062 (Network Conversations) data is not available but Module 10067 (Top Traffic) data is present, the Network Conversations and Network Overview dashboards render in degraded mode:
- A persistent banner indicates degraded mode is active.
- Panels requiring 10062-only fields (Application, User, Direction, Duration) are replaced with an explanatory message.
- Group By options for Application and User are suppressed.
- The detail table shows only 10067-compatible columns.
No dedicated Top Traffic dashboards exist in the navigation. Customers running only Module 10067 receive the best available view through the standard dashboards in degraded mode.
Legacy Dashboard Mapping
| Previous Dashboard | Replaced By |
|---|---|
| Network Conversations Bidirectional | Network Conversations |
| Network Conversations Top Applications | Network Conversations (Group By: Application) |
| Network Conversations Top Users | Network Conversations (Group By: User) |
| Network Conversations Apps & Users | Network Conversations (Group By: Application or User) |
| Network Conversations By Protocol & Port | Network Conversations (Group By: Protocol & Port) |
| Network Conversations Cyber Threats | Security Events → Threats tab |
| Network Conversations Top Violators | Security Events → Violators tab |
| Network Conversations Accepts & Rejects | Security Events → Allows & Blocks tab |
| Network Conversations By Country | Geographic & ASN (View: Geographic) |
| Network Conversations By Autonomous System | Geographic & ASN (View: ASN) |
| Network Device Health | Network Device Health → Overview tab |
| Interface Errors & Discards | Network Device Health → Interface Health tab |
| SNMP Devices CPU & Memory | Network Device Health → CPU & Memory tab |
| All Hosts, Applications, Cloud, Firewalls dashboards | Network Conversations |
All _ts, _metrics, _si variants | Retired — not replaced |
For documentation on dashboards not listed here, refer to the 2.12.0 documentation.