Skip to main content
Version: Next

Deployment & Configuration

This guide provides step-by-step instructions for establishing the data pipeline between NetFlow Optimizer (NFO) and your Splunk environment. Before starting, ensure TA-netflow is installed on all relevant Splunk tiers — see TA-netflow for installation instructions.

1. Install Splunk Components

ComponentInstallation LocationPurpose
TA-netflowSearch Heads, Indexers, Heavy ForwardersMandatory. Field extraction, CIM mapping, and flowintegrator sourcetype definition.
NetFlow and SNMP Analytics AppSearch HeadsRequired for visualization. Dashboards, reports, and search macros.

Both components are available on Splunkbase and can be installed via Apps → Manage Apps → Install app from file.

2. Configure Data Input (Splunk Side)

NFO sends data to Splunk in JSON format. HTTP Event Collector (HEC) is the recommended ingestion method for performance and security. Syslog is supported as an alternative.

Method A: HTTP Event Collector (HEC) — Recommended

  1. In Splunk, go to Settings → Data Inputs → HTTP Event Collector.
  2. Click New Token and name it NFO-HEC.
  3. Set the Source Type to flowintegrator.
  4. Specify the target Index (e.g., flowintegrator).
  5. Save the Token Value and ensure your HEC port (default 8088) is open.

Method B: Syslog (UDP/TCP)

  1. In Splunk, go to Settings → Data Inputs → UDP (or TCP).
  2. Specify the Port (e.g., 10514).
  3. Set the Source Type to flowintegrator.
  4. Specify the target Index (e.g., flowintegrator).

3. Configure Data Output (NFO Side)

Once Splunk is ready to receive data, configure the output destination in the NFO web interface.

  1. Log in to the NetFlow Optimizer web interface.
  2. Navigate to Outputs and click Add New Output.
  3. Select the Output TypeSplunk HEC or Syslog.
  4. Enter your Splunk connection details (URL and port) and paste the HEC Token if using HEC.
  5. Select JSON as the format.
  6. Click Save and Start.

4. Configure the NetFlow Analytics App

Once data is flowing into Splunk, update the app's search macro to point to your data index.

  1. In Splunk, go to Settings → Advanced Search → Search Macros.
  2. Find the netflow_index macro.
  3. Update the Definition to match your index and sourcetype: 
    index=flowintegrator sourcetype=flowintegrator
  4. Click Save. Dashboards will begin to populate.

5. Verification

Run the following search in Splunk to confirm data is arriving and fields are correctly parsed:

index=flowintegrator sourcetype=flowintegrator | head 10

What to check:

  • Fields such as src_ip, dest_ip, bytes, packets, and nfc_id appear in the Interesting Fields sidebar.
  • nfc_id value is 20062 (Network Conversations) or 20067 (Top Traffic) depending on which NFO module is enabled.
  • No parsing errors appear in the _raw field.

If no results appear within a few minutes of NFO being configured, see Troubleshooting or contact support@netflowlogic.com.