Version: Next

Dashboard Guide

This guide describes all dashboards in the NetFlow and SNMP Analytics App, organized by navigation section.

Looking for a dashboard from the previous app version?

Many dashboards have been consolidated. See the Legacy Dashboard Mapping section below, or refer to the 2.12.0 documentation for the full previous dashboard reference.

Overview

Network Overview

Default landing page. Device-centric network health summary — the first stop in the triage workflow.

Required module: Module 10062 (Network Conversations). Falls back to Module 10067 (Top Traffic) when 10062 data is unavailable — see Top Traffic Fallback.

Filters: Site → Device Type → Device / Network → Time Range.

What it shows:

Row 1 — Device metrics: Four panels showing device performance — Top Devices by Flows/sec, Throughput (Mbps), Packets/sec, and Average Packet Size. When a specific device is selected, these switch to time-series charts for that device. Use these four panels together to fingerprint device behavior — high packets + low bytes signals a small-packet flood; low average packet size may indicate scanning or DDoS.
Row 2 — Traffic breakdown: Four donut charts showing Protocol mix, Top Source IPs, Top Destination IPs, and Top Destination Ports & Apps across the filtered scope.
Row 3 — Known Threat Communications: Four KPI panels showing flow counts for threat traffic only (threat_list_name is populated): Inbound Allowed, Inbound Blocked, Outbound Allowed, Outbound Blocked. Red panels require investigation; green panels confirm controls are working. Clicking any panel navigates to the Security Events dashboard with the appropriate filters pre-set.

Network Overview dashboard showing device metrics, traffic breakdown, and threat KPI panels

Network Conversations

Primary traffic investigation dashboard. Replaces five previous dashboards: Network Conversations Bidirectional, Top Applications, Top Users, Applications & Users, and By Protocol & Port.

Required module: Module 10062.

Filters: Full filter chain, plus Group By selector between Device/Network and Source IP.

Group By controls how traffic is analyzed across all panels simultaneously:

Group By	Shows
Conversation Pair	Source → Destination host pairs
Protocol & Port	Destination port and transport protocol
Application	Application name from DPI or NetFlow options
User	Username from identity enrichment

What it shows:

Row 1 — Timechart: Traffic over time, stacked by the selected Group By dimension. Click and drag to time-brush — filters the detail table to the selected window.
Row 2 — Primary dimension + Top Destinations: Ranked bar chart of the selected Group By dimension alongside a fixed Top Destinations panel. Titles and colors update with Group By selection.
Row 3 — Supporting dimensions: Two additional ranked bar charts showing the most analytically useful context for the current investigation mode (e.g. when investigating by Conversation Pair, Row 3 shows Top Applications and Top Ports).
Row 4 — Sankey: Full-width traffic flow diagram. Source and target dimensions respond to Group By selection — two-node for Conversation Pair, three-node chain (Source → middle dimension → Destination) for Application, User, and Protocol & Port.
Row 5 — Detail table: Fixed columns regardless of Group By — Device/Network, Flow Type, Session Origin, Source, Destination, Dest Port, App, Sent, Received, Rcvd/Sent %, Avg Duration, Flow Count, plus conditional User and Threat columns. Filtered by time-brush selection. Clicking a row pre-fills Source IP and Dest IP filters without leaving the dashboard.

Network Conversations dashboard showing timechart, ranked bar charts, Sankey diagram, and detail table

Security Events

Threat detection and policy enforcement investigation. Replaces three previous dashboards: Cyber Threats, Top Violators, and Accepts & Rejects.

Required module: Module 10062 with Threat Intelligence configured in NFO.

Filters: Full filter chain.

What it shows:

Row 1 — KPIs: Four entity-count panels — Unique Malicious IPs, Unique Victims (internal hosts that communicated with malicious IPs), Blocked Flows, and Unique Violators (distinct internal sources being blocked). These are distinct entity counts, more operationally focused than the flow-count KPIs on the Overview dashboard.
Row 2 — Timechart: Threat events and Blocked flows on a shared time axis. Fixed — does not change when switching tabs. Time-brush filters all three tabs simultaneously.
Row 3 — Tabs:
- Threats — Map of attacker countries with enriched table including Threat List and Reputation columns.
- Violators — Internal sources being blocked, with Application, Dest Port, and Action columns.
- Allows & Blocks — Four horizontal bar charts showing Allowed and Blocked traffic by conversation pair and by port.

Security Events dashboard showing KPI panels, threat timechart, and tabbed threat/violator/accepts view

Geographic & ASN

Geographic and autonomous system traffic analysis. Replaces two previous dashboards: By Country and By Autonomous System.

Required module: Module 10062.

Filters: Full filter chain, plus View selector (Geographic / ASN), Show Blocked Flows toggle, and GeoIP Source selector (NFO fields / Splunk iplocation).

What it shows: World map with traffic bubbles by country (Geographic view) or ranked bar chart by ASN (ASN view), with a detail table. The GeoIP Source selector allows comparison between NFO's built-in GeoIP enrichment and Splunk's iplocation function. The Show Blocked Flows toggle excludes blocked/dropped flows when off.

Cloud Traffic

Dedicated visibility into north-south traffic to and from public cloud services. Surfaces cloud provider, service, and region context enriched by NFO from the cloud IP ranges lookup (AWS, Azure, GCP, OCI).

Required module: Module 10062 with cloud enrichment configured in NFO.

Filters: Full filter chain, plus Cloud Provider selector (All / AWS / Azure / GCP / OCI).

What it shows:

Row 1 — KPIs: Total Cloud Traffic, Unique Cloud Endpoints, Top Cloud Provider, Unique Cloud Regions.
Row 2 — Top Cloud Services + Top Cloud Regions: Two horizontal bar charts showing which cloud services and regions are receiving the most traffic.
Row 3 — Sankey: Three-node chain — Internal Host → Cloud Provider → Cloud Region. Answers "which internal hosts are generating traffic to which cloud providers, and where in the world are they going?"
Row 4 — Detail table: Standard columns plus Cloud Service and Cloud Region columns (always populated on this dashboard).

note

Cloud Traffic requires Module 10062. Module 10067 fallback is not available for this dashboard — cloud enrichment fields are not present in Top Traffic data.

By VLAN

VLAN-level traffic segmentation analysis.

Required module: Module 10062.

Filters: Full filter chain.

What it shows: Traffic over time stacked by VLAN, with a detail table showing VLAN-to-VLAN communication pairs including source/destination IPs, bytes, and flow counts.

Concurrent Connections

Active connection count over time. Use for capacity planning and connection flood detection.

Required module: Module 10062.

Filters: Full filter chain.

What it shows: Line chart of concurrent connection count over time (total + breakdown by top 5 devices), with a detail table including connection state (Begin / Continuing / End) and duration.

By Duration

Long-running session detection. Primary use cases: data exfiltration, tunneling, persistent C2 connections, and capacity planning.

Required module: Module 10062.

Filters: Full filter chain.

What it shows: Top 20 conversations by average duration (horizontal bar chart, color intensity by bytes), with a detail table surfacing long-lived sessions. state=C (Continuing) flows are the most relevant for exfiltration and C2 detection — these are active sessions that have not yet terminated.

Infrastructure Health

Network Topology - COMING SOON

Network Device Health - COMING SOON

Configuration

Setup

Initial app setup wizard — configure the netflow_index macro and verify data connectivity.

Configuration

Advanced app configuration settings.

TA-netflow App Setup

Links directly to the TA-netflow app configuration page in Splunk.

Index Usage

NFO data volume and index usage statistics — useful for Splunk license monitoring and capacity planning.

Top Traffic Fallback

When Module 10062 (Network Conversations) data is not available but Module 10067 (Top Traffic) data is present, the Network Conversations and Network Overview dashboards render in degraded mode:

A persistent, non-dismissible banner indicates degraded mode is active and links to Module 10062 setup instructions.
Group By options for Application and User are suppressed — these fields are not available in Top Traffic data.
Panels requiring 10062-only fields (Application, User, Session Origin, Duration) are replaced with an explanatory message.
The detail table shows only 10067-compatible columns. The percent_of_total field (native to 10067) replaces the Received and Rcvd/Sent % columns.

No dedicated Top Traffic dashboards exist in the navigation. All other flow dashboards (Security Events, Geographic & ASN, Cloud Traffic, By VLAN, Concurrent Connections, By Duration) require Module 10062 and show a "Module 10062 required" message if data is absent — they do not attempt a 10067 fallback.

Legacy Dashboard Mapping

Previous Dashboard	Replaced By
Network Conversations Bidirectional	Network Conversations
Network Conversations Top Applications	Network Conversations (Group By: Application)
Network Conversations Top Users	Network Conversations (Group By: User)
Network Conversations Apps & Users	Network Conversations (Group By: Application or User)
Network Conversations By Protocol & Port	Network Conversations (Group By: Protocol & Port)
Network Conversations Cyber Threats	Security Events → Threats tab
Network Conversations Top Violators	Security Events → Violators tab
Network Conversations Accepts & Rejects	Security Events → Allows & Blocks tab
Network Conversations By Country	Geographic & ASN (View: Geographic)
Network Conversations By Autonomous System	Geographic & ASN (View: ASN)
Network Device Health	Network Device Health → Overview tab
Interface Errors & Discards	Network Device Health → Device Detail → Interface Health
SNMP Devices CPU & Memory	Network Device Health → Device Detail → CPU & Memory
All Hosts, Applications, Cloud, Firewalls dashboards	Network Conversations or Cloud Traffic
All `_ts`, `_metrics`, `_si` variants	Retired — not replaced

For documentation on dashboards not listed here, refer to the 2.12.0 documentation.

Overview​

Network Overview​

Network Conversations​

Network Conversations​

Security Events​

Geographic & ASN​

Cloud Traffic​

By VLAN​

Concurrent Connections​

By Duration​

Infrastructure Health​

Network Topology - COMING SOON​

Network Device Health - COMING SOON​

Configuration​

Setup​

Configuration​

TA-netflow App Setup​

Index Usage​

Top Traffic Fallback​

Legacy Dashboard Mapping​

Overview

Network Overview

Network Conversations

Network Conversations

Security Events

Geographic & ASN

Cloud Traffic

By VLAN

Concurrent Connections

By Duration

Infrastructure Health

Network Topology - COMING SOON

Network Device Health - COMING SOON

Configuration

Setup

Configuration

TA-netflow App Setup

Index Usage

Top Traffic Fallback

Legacy Dashboard Mapping