Skip to main content
Version: Next

Deployment & Configuration

This guide provides technical instructions for establishing the data pipeline between NetFlow Optimizer (NFO) and your Splunk environment. For a successful deployment, you must install both the TA-netflow (for data parsing) and the NetFlow Analytics for Splunk App (for visualization).

1. Installation of Components

Both components can be downloaded from Splunkbase and installed via Apps > Manage Apps > Install app from file.

ComponentInstallation LocationPurpose
TA-netflowSearch Heads, Indexers, & ForwardersMandatory. Handles field extraction, CIM mapping, and sets the flowintegrator sourcetype.
NetFlow Analytics for SplunkSearch HeadsRequired for Visualization. Contains the dashboards, reports, and search macros.

2. Configuring the Data Input (Splunk Side)

NFO sends data to Splunk in JSON or Syslog format. HTTP Event Collector (HEC) is the recommended approach for performance and security.

Method A: HTTP Event Collector (HEC) — Recommended

  1. In Splunk, go to Settings > Data Inputs > HTTP Event Collector.
  2. Click New Token and name it NFO-HEC.
  3. Set the Source Type to flowintegrator.
  4. Specify the target Index (e.g., flowintegrator).
  5. Save the Token Value and ensure your HEC port (default 8088) is open.

Method B: Syslog (UDP/TCP)

  1. In Splunk, go to Settings > Data Inputs > UDP (or TCP).
  2. Specify the Port (e.g., 10514).
  3. Set the Source Type to flowintegrator.
  4. Specify the target Index (e.g., flowintegrator).

3. Configuring Data Output (NFO Side)

Once Splunk is ready to receive data, configure the output destination in the NFO GUI.

  1. Log in to the NetFlow Optimizer web interface.
  2. Navigate to Data Outputs and click Add New Output.
  3. Select the Output Type (Splunk HEC or Syslog).
  4. Enter your Splunk connection details (URL/Port) and paste the HEC Token if applicable.
  5. Select JSON as the format.
  6. Click Save and Start.

4. Configuring the NetFlow Analytics App

Once the data is flowing, you must update the app's search macro to point to your data index.

  1. In Splunk, go to Settings > Advanced Search > Search Macros.
  2. Find the netflow_index macro.
  3. Change the Definition to match your index and sourcetype: definition = index=flowintegrator sourcetype=flowintegrator
  4. Click Save. Your dashboards will now begin to populate.

5. Verification

To confirm that the data is flowing and being correctly parsed by the TA, run the following search in Splunk:

index=flowintegrator sourcetype=flowintegrator | head 10

What to check:

  • Verify that fields such as src_ip, dest_ip, bytes, and packets are correctly extracted in the Interesting Fields sidebar.
  • Ensure the nfc_id field is present (e.g., 20062 for Network Conversations or 20067 for Top Traffic), as this is what powers the specific dashboard views.