NetFlow and SNMP Analytics App
The NetFlow and SNMP Analytics App provides pre-built dashboards for network traffic analysis, security threat detection, and infrastructure health monitoring in Splunk. It is built on Splunk Dashboard Studio and works with enriched, CIM-compliant data delivered by NetFlow Optimizer (NFO) and TA-netflow.
Requirements
| Requirement | Details |
|---|---|
| NetFlow Optimizer (NFO) | Required upstream processing engine |
| TA-netflow | Must be installed on all Splunk tiers — see TA-netflow |
| Splunk version | 10.4 or later (required for native Dashboard Studio network graph visualization) |
| NFO Modules | Module 10062 (Network Conversations) recommended for Network Conversations dashboards. Module 10067 (Top Traffic) supported as fallback. Infrastructure Health dashboards require Module 10701 (Auto-discovery Reporter) and/or Module 10103 (SNMP Custom OID Sets) — see Dashboard Guide |
What's in the App
The app consolidates network visibility into 18 focused dashboards organized as a triage workflow — from high-level health overview to granular flow forensics. The previous version had 80+ dashboards across inconsistent filter sets; this version eliminates all deprecated-module dashboards and standardizes navigation and filters across every dashboard.
Navigation
The app is organized into four sections:
| Section | Dashboards |
|---|---|
| Overview | Network Overview (default landing page) |
| Network Conversations | Network Conversations, Security Events, Geographic & ASN, By VLAN, Concurrent Connections, By Duration |
| Infrastructure Health | Network Topology, Network Device Health, TCP Health |
| Configuration | Setup, Configuration, TA-netflow App Setup, Index Usage |
Global Filter Standard
Every dashboard uses the same filter chain in the same order:
Site → Device Type → Device / Network → Flow Type → Direction → Action → Source IP → Dest IP → Dest Port → App Name → Time Range
The first three filters are cascading — selecting a Site narrows the Device Type list, which narrows the Device / Network list. The remaining filters are independent and optional.
NFO Hostname has been removed as a filter. In multi-NFO deployments users think in terms of sites and devices, not NFO instances. NFO hostname remains in the underlying event data and can be used to identify which NFO instance produced a given record.
Navigation Hierarchy
The new navigation hierarchy replaces the previous NFO Hostname → Device Group → Device chain:
Site → Device Type → Device / Network
- Site — geographic location or data center (e.g.
NYC-DC1,AWS-US-East). - Device Type — automatically populated from NFO auto-discovery (e.g. Router, Switch, Firewall, Cloud).
- Device / Network — covers both on-premises devices and cloud VPC subnets in a single list.
Data Model
The app uses bytes pre-multiplied by NFO at collection time (Module 10062). The legacy sampling rate lookup (20002) is not used in any dashboard. No action is required on upgrade — Module 10062 handles sampling rate correction transparently.
Upgrading from a Previous Version
The dashboard set has been significantly consolidated. If you are looking for a dashboard that no longer appears in the navigation, it has been replaced by one of the new consolidated dashboards — see the Dashboard Guide for the full mapping.
Dashboard reference documentation for the previous app version is available in the 2.12.0 documentation.
Installation
The app is available on Splunkbase. Install it on Search Heads only.
- In Splunk Web, go to Apps → Manage Apps → Install app from file.
- Upload the app package.
- Restart Splunk if prompted.
- Configure the
netflow_indexsearch macro — see Deployment & Configuration.