NetFlow and SNMP Analytics App
The NetFlow and SNMP Analytics App provides pre-built dashboards for network traffic analysis, security threat detection, and infrastructure health monitoring in Splunk. It is built on Splunk Dashboard Studio and works with enriched, CIM-compliant data delivered by NetFlow Optimizer (NFO) and TA-netflow.
Requirements
| Requirement | Details |
|---|---|
| NetFlow Optimizer (NFO) | Required upstream processing engine |
| TA-netflow | Must be installed on all Splunk tiers — see TA-netflow |
| Splunk version | 10.4 or later (required for native Dashboard Studio network graph visualization) |
| NFO Modules | Module 10062 (Network Conversations) recommended for Network Conversations dashboards. Module 10067 (Top Traffic) supported as fallback. Infrastructure Health dashboards require Module 10701 (Auto-discovery Reporter) and/or Module 10103 (SNMP Custom OID Sets) — see Dashboard Guide |
What's in the App
The app consolidates network visibility into 19 focused dashboards organized as a triage workflow — from high-level health overview to granular flow forensics. The previous version had 80+ dashboards across inconsistent filter sets; this version eliminates all deprecated-module dashboards and standardizes navigation and filters across every dashboard.
Navigation
The app is organized into four sections:
| Section | Dashboards |
|---|---|
| Overview | Network Overview (default landing page) |
| Network Conversations | Network Conversations, Security Events, Geographic & ASN, Cloud Traffic, By VLAN, Concurrent Connections, By Duration |
| Infrastructure Health | Network Topology, Network Device Health, TCP Health |
| Configuration | Setup, Configuration, TA-netflow App Setup, Index Usage |
Global Filter Standard
Every dashboard uses the same filter chain in the same order:
Site → Device Type → Device / Network → Source IP → Dest IP → Dest Port → Time Range → Advanced Filter
The first three filters are cascading — selecting a Site narrows the Device Type list, which narrows the Device / Network list. The remaining filters are independent and optional. Filters that return only one value or no data are automatically hidden.
Flow Type, Direction, Action, and App Name are not in the standard filter bar. They remain filterable via the Advanced Filter field using fieldname=value syntax (e.g. direction=inbound, action=blocked).
NFO Hostname has been removed as a filter. NFO hostname remains in the underlying event data and can be used to identify which NFO instance produced a given record.
Navigation Hierarchy
The new navigation hierarchy replaces the previous NFO Hostname → Device Group → Device chain:
Site → Device Type → Device / Network
- Site — geographic location or data center (e.g.
NYC-DC1,AWS-US-East). - Device Type — automatically populated from NFO auto-discovery (e.g. Router, Switch, Firewall, AWS-VPC).
- Device / Network — covers both on-premises devices and cloud VPC subnets in a single list.
Terminology
The UI label for the direction field is Session Origin throughout the app. The underlying SPL field name remains direction — use direction=inbound etc. in Advanced Filter and custom searches.
Data Model
The app uses bytes pre-multiplied by NFO at collection time (Module 10062). The legacy sampling rate lookup (20002) is not used in any dashboard. No action is required on upgrade — Module 10062 handles sampling rate correction transparently.
Upgrading from a Previous Version
The dashboard set has been significantly consolidated. If you are looking for a dashboard that no longer appears in the navigation, it has been replaced by one of the new consolidated dashboards — see the Dashboard Guide for the full mapping.
Dashboard reference documentation for the previous app version is available in the 2.12.0 documentation.
Installation
The app is available on Splunkbase. Install it on Search Heads only.
- In Splunk Web, go to Apps → Manage Apps → Install app from file.
- Upload the app package.
- Restart Splunk if prompted.
- Configure the
netflow_indexsearch macro — see Deployment & Configuration.