Installation
The DDoS Detector for Splunk App works together with the Technology Add-on for NetFlow (TA-netflow). Both must be installed before Splunk can receive, parse, and display DDoS events generated by NetFlow Optimizer (NFO).
Prerequisites
Before starting, confirm the following are in place:
- NetFlow Optimizer (NFO) is installed and running
- Your network devices are exporting flow data to NFO
- The DDoS Detector Module has been requested from NetFlow Logic, uploaded to NFO and enabled-- the module is not included in the standard build. Contact support@netflowlogic.com to req uest it
- You have a valid NFO license and access to the NFO web UI
- You have Splunk admin rights to install apps and configure data inputs
- You have the DDoS Detector for Splunk App and TA-netflow packages available for installation
1. Download
Both Splunk components are available from Splunkbase:
| Component | Splunkbase Link |
|---|---|
| DDoS Detector for Splunk App | https://splunkbase.splunk.com/app/4016/ |
| Technology Add-on for NetFlow (TA-netflow) | https://splunkbase.splunk.com/app/1838/ |
Install each package via Apps > Manage Apps > Install app from file in the Splunk Web UI.
2. Where to install
| Splunk node | DDoS Detector App | TA-netflow |
|---|---|---|
| Search Head | ✓ | ✓ |
| Indexer | - | ✓ |
| Heavy Forwarder | - | ✓ |
| Universal Forwarder | - | - |
3. Choose how Splunk will receive NFO data
NFO can send DDoS-related events to Splunk using either:
- HTTP Event Collector (HEC) — recommended
- Syslog (UDP/TCP) — supported for simpler or legacy deployments
In both cases, make sure the sourcetype is set to:
flowintegrator
Method A: HTTP Event Collector (HEC) — recommended
Use HEC when possible. It is the preferred modern approach and avoids the reliability limitations of plain UDP inputs.
Splunk-side setup
- In Splunk, go to Settings > Data Inputs > HTTP Event Collector
- Click New Token
- Give the token a name such as
NFO-HEC - Set the Source Type to
flowintegrator - Set the Index you want to use, for example
flowintegrator - Save the token value
- Ensure the HEC port is reachable from NFO (default is typically
8088)
NFO-side setup
- Log in to the NFO web interface
- Navigate to Outputs
- Click Add Output
- Choose Splunk HEC
- Enter the Splunk address and port
- Select JSON as the output format
- Paste the HEC token
- Save and start the output
Method B: Syslog (UDP/TCP)
Use this when you prefer traditional syslog delivery or need compatibility with an existing Splunk ingestion path.
Using the Splunk UI
- Go to Settings > Data Inputs > UDP (or TCP)
- Click Add New
- Enter the listening port, for example
10514 - Click Select Sourcetype and set it to
flowintegrator - Change the App Context to Technology Add-on for NetFlow (TA-netflow)
- Set the target index if required for your environment
- Review and submit
Using inputs.conf
Create or edit:
$SPLUNK_HOME/etc/apps/TA-netflow/local/inputs.conf
Example:
[udp://10514]
sourcetype = flowintegrator
If you want to store events in a dedicated index such as flowintegrator, create:
$SPLUNK_HOME/etc/apps/TA-netflow/local/indexes.conf
With:
[flowintegrator]
homePath = $SPLUNK_DB/flowintegrator/nfi_traffic/db
coldPath = $SPLUNK_DB/flowintegrator/nfi_traffic/colddb
thawedPath = $SPLUNK_DB/flowintegrator/thaweddb
Then update inputs.conf:
[udp://10514]
sourcetype = flowintegrator
index = flowintegrator
NFO-side setup
- Log in to the NFO web interface
- Navigate to Outputs
- Click Add Output
- Choose Syslog
- Enter the Splunk IP/hostname and port
- Select the appropriate syslog format for your environment
- Save and start the output
4. Post-install app configuration in Splunk
This part is DDoS app specific and should be done after data ingestion is configured.
Update the netflow_index macro if you are not using main
In the shipped app, the default macro is:
[netflow_index]
definition = sourcetype=flowintegrator
That works when events are stored in the default main index. If you store events in a dedicated index such as flowintegrator, override the macro so the dashboards search the correct index.
Using the Splunk UI
- Go to Settings > Advanced Search > Search Macros
- Find
netflow_index - Change the definition to:
index=flowintegrator sourcetype=flowintegrator
Using macros.conf
Create or edit:
$SPLUNK_HOME/etc/apps/ddos_detector/local/macros.conf
Add:
[netflow_index]
definition = index=flowintegrator sourcetype=flowintegrator
Restart Splunk after making the change.
Important Do not change the default app files directly. Use the
local/directory so your configuration survives app upgrades.
Optional: use a custom summary index
The app ships with:
[ddos_detector_si]
definition = index=summary
If you want the app’s summary searches to write into a dedicated summary index such as flowintegrator_summary, create the index and override the related settings.
1. Create the summary index
Create or edit:
$SPLUNK_HOME/etc/apps/ddos_detector/local/indexes.conf
Add:
[flowintegrator_summary]
homePath = $SPLUNK_DB/flowintegrator_summary/db
coldPath = $SPLUNK_DB/flowintegrator_summary/colddb
thawedPath = $SPLUNK_DB/flowintegrator_summary/thaweddb
2. Override the summary index macro
Create or edit:
$SPLUNK_HOME/etc/apps/ddos_detector/local/macros.conf
Add:
[ddos_detector_si]
definition = index=flowintegrator_summary
3. Override the scheduled searches that write to the summary index
Create or edit:
$SPLUNK_HOME/etc/apps/ddos_detector/local/savedsearches.conf
Add:
[ddos_20196_20064]
action.summary_index._name = flowintegrator_summary
[ddos_20196_20067]
action.summary_index._name = flowintegrator_summary
[ddos_20196_20195]
action.summary_index._name = flowintegrator_summary
[ddos_20196_20198]
action.summary_index._name = flowintegrator_summary
[ddos_20196_20200]
action.summary_index._name = flowintegrator_summary
Restart Splunk after applying these changes.
5. Configure local subnets
The app uses a subnet lookup to determine inbound vs. outbound traffic and to identify attacker and victim locations correctly.
The shipped lookup definition is my_subnets_lookup, backed by the file:
$SPLUNK_HOME/etc/apps/ddos_detector/lookups/my-subnets.csv
The default file contains placeholder RFC 1918 ranges:
subnet,description
10.0.0.0/8,ClassA
172.16.0.0/12,ClassB
192.168.0.0/16,ClassC
Copy the file to your local override area and replace the entries with your actual internal subnets:
$SPLUNK_HOME/etc/apps/ddos_detector/local/lookups/my-subnets.csv
Do not edit the file under default/, because it can be overwritten during upgrades.
6. Configure email alerting
Email notifications require an outbound mail server to be configured in Splunk first.
Mail server setup
Go to Settings > Server Settings > Email Settings and enter your mail server details. Example:
Mail host = smtp.gmail.com:587
Email security = TLS
Username = your-address@gmail.com
Password = your-app-password
In the Email Format section, set Link Hostname to your Splunk URL, for example:
https://mysplunk.com:8000
Do not leave it blank or rely on autodetect. This value is used to generate the clickable link in DDoS alert emails.
Important If you change anything on the Email Settings page, clear and re-enter the password fields before saving. Otherwise Splunk may reset the stored password and alert emails will stop working.
Configure alert recipients
To configure recipients for the built-in DDoS alert:
- Go to Settings > Searches, Reports, and Alerts
- Find
ddos_alert - Select Edit > Edit Alert
- In the When triggered - Send email section, populate the To field
- Save the alert
7. Verify the configuration
Run one of the following searches in the Search app.
If you use a dedicated index
index=flowintegrator sourcetype=flowintegrator
If you use the default index
sourcetype=flowintegrator
You should see events arriving from NFO.
For DDoS-specific validation, also confirm that DDoS rule events are present:
sourcetype=flowintegrator nfc_id=20196
If no results appear:
- verify that NFO is receiving flow data from your exporters
- verify that the DDoS Detector Module is uploaded and enabled
- verify that the NFO output is started and points to the correct Splunk destination
- verify network connectivity between NFO and Splunk
- verify that the Splunk sourcetype is
flowintegrator - if you use a non-default index, verify that the
netflow_indexmacro was updated
8. Operational note
The app includes saved searches that populate dropdowns and summary data on a schedule. If exporters or NFO hosts do not appear immediately in the dashboards, allow time for the scheduled searches to run, or refresh the dropdowns from the app setup page.