TA-netflow — Technology Add-on for NetFlow
The Technology Add-on for NetFlow (TA-netflow) is the data foundation for NetFlow Logic's Splunk integrations. It receives flow and SNMP telemetry processed by NetFlow Optimizer (NFO) and delivers CIM-compliant, enriched network data to Splunk — enabling network traffic analysis, device health monitoring, and security threat detection across on-premises and multi-cloud environments.
TA-netflow does not collect flow data directly from network devices. NetFlow Optimizer (NFO) is required as the upstream processing engine — NFO handles collection, normalization, and enrichment before forwarding to Splunk.
What TA-netflow Provides
- CIM-compliant field mappings — flow and SNMP data mapped to Splunk's Common Information Model for seamless integration with Enterprise Security, ITSI, and custom searches.
- Multi-format flow support — NetFlow v5/v9, sFlow, IPFIX, JFlow, AppFlow.
- Cloud flow log support — AWS VPC Flow Logs, Microsoft Azure NSG Flow Logs, Google Cloud VPC Flow Logs, Oracle Cloud Infrastructure.
- SNMP data support — device and interface telemetry via SNMPv2c and SNMPv3, including traps.
- Enriched data inputs — receives pre-enriched data from NFO including DNS names, GeoIP, IP reputation, application identity, and user context.
CIM Data Model Coverage
| Data Model | Coverage |
|---|---|
| Network Traffic | Flow records — source/dest IP, port, protocol, bytes, packets, duration |
| Network Sessions | Session-level flow aggregations |
| Alerts | SNMP traps mapped to Splunk alert structure |
| Performance | SNMP polling data — CPU, memory, interface utilisation |
| Inventory | Network device identity and interface metadata |
Required By
TA-netflow must be installed before any of the following products can function:
Splunk Observability Cloud (O11y) uses a separate integration path and does not require TA-netflow.
Deployment Topology
Install TA-netflow on every Splunk tier that handles NFO data:
| Splunk Component | Install Required? |
|---|---|
| Search Heads | Yes — field extractions and CIM mappings at search time |
| Indexers | Yes — index-time field extractions |
| Heavy Forwarders | Yes — if used as an intermediate forwarder for NFO data |
| Universal Forwarders | No |
Installation
TA-netflow is available on Splunkbase. Install it on each required Splunk tier:
- In Splunk Web, go to Apps → Manage Apps → Install app from file.
- Upload the TA-netflow package.
- Restart Splunk if prompted.
- Repeat on all required tiers — Search Heads, Indexers, and Heavy Forwarders.
Setup — Splunk Enterprise
After installation, configure the sourcetype by creating the following file if it does not exist:
$SPLUNK_ROOT/etc/apps/TA-netflow/local/inputs.conf
Add the following:
[udp://10514]
sourcetype = flowintegrator
Optional: Custom Index
By default, NFO events are stored in the main index. To use a dedicated index, create:
$SPLUNK_ROOT/etc/apps/TA-netflow/local/indexes.conf
Add the following:
[flowintegrator]
homePath = $SPLUNK_DB/flowintegrator/nfi_traffic/db
coldPath = $SPLUNK_DB/flowintegrator/nfi_traffic/colddb
thawedPath = $SPLUNK_DB/flowintegrator/thaweddb
Then update inputs.conf to include the index:
[udp://10514]
sourcetype = flowintegrator
index = flowintegrator
Restart Splunk for configuration changes to take effect.
Setup — Splunk Cloud
Step 1 — Configure forwarding to your Splunk Cloud instance
The recommended method is documented in the Splunk documentation: How to forward data to Splunk Cloud.
Step 2 — Set the sourcetype on your Universal Forwarder
On the Universal Forwarder forwarding to Splunk Cloud, create the following file if it does not exist:
$SPLUNK_UF_ROOT/etc/system/local/inputs.conf
Add the following:
[udp://10514]
sourcetype = flowintegrator
Step 3 — Optional: Custom index
Create the index in Splunk Cloud following Splunk's instructions: Manage indexes in Splunk Cloud.
Then update inputs.conf to include the index:
[udp://10514]
sourcetype = flowintegrator
index = flowintegrator
Verification
Once NFO is configured to send data to Splunk, run the following search to confirm events are arriving and fields are correctly extracted:
index=flowintegrator sourcetype=flowintegrator | head 10
Verify that fields such as src_ip, dest_ip, bytes, packets, and nfc_id appear in the Interesting Fields sidebar. If no results appear within a few minutes of NFO being configured, see Troubleshooting or contact support@netflowlogic.com.
Next Steps
Once TA-netflow is installed and data is flowing, install the main app on your Search Heads and complete the pipeline setup:
- NetFlow and SNMP Analytics App — dashboards for traffic analysis, security, and device health.
- Deployment & Configuration — configure NFO output, Splunk HEC or Syslog inputs, index macros, and verify end-to-end data flow.