Splunk® Supported Add-ons

Splunk Add-on for NetFlow

Download manual as PDF

Download topic as PDF

About the Splunk Add-on for NetFlow

This product has been deprecated. Use the Splunk Stream app to ingest Netflow data. See the Use Splunk Stream to ingest Netflow and IPFIX data topic in the Splunk Stream manual for more information.

Version 3.0.1
Vendor Products NetFlow versions 5 and 7, with limited IPFIX headers support for NetFlow version 9

The Splunk Add-on for NetFlow allows a Splunk software administrator to receive and convert NetFlow streams from compatible network gear. The add-on maps the NetFlow data to the Common Information Model for use with CIM-compliant apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

The Splunk Add-on for NetFlow is based on the NFDUMP project.

If you have NetFlow v10 data, see the Splunk Add-on for IPFIX. Sites using both NetFlow v5/v9 and IPFIX (v10) data may wish to use a combination of both add-ons, listening on different ports.

Download the Splunk Add-on for NetFlow from Splunkbase at http://splunkbase.splunk.com/app/1658.

Discuss the Splunk Add-on for NetFlow on Splunk Answers at http://answers.splunk.com/answers/app/1658.

  NEXT
Source types for the Splunk Add-on for NetFlow

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

>Does this Add-on eliminate the need for NetFlow Integrator?<br />Yes and no. With this TA, you can ingest the full stream of flow data into Splunk.<br /><br />But, NetFlow itself is a chatty protocol, a very busy router might generate several GB of log data per HOUR. With this app, you should be able to ingest that data into Splunk. So do you need NetFlow Integrator? No.<br /><br />But is it a good idea to use NetFlow Integrator anyway? Possibly. Using the commercial version of NetFlow Integrator, one can define rules that allow you to select which flows are important enough to send into Splunk, and which should be dropped. Those rules also allow "data point consolidation" [basically aggregation] for the data. Using a combination of approaches, a Splunk environment with NetFlow Integrator will send a small fraction of the traffic to Splunk. There are a number of benefits for doing this, including cost, performance, and storage.

Mdonnelly splunk
July 15, 2014

I am wondering if this Add-on eliminates the need for NetFlow Integrator. It sounds like this add-on will take netflow streams directly and "convert" to ASCII for use in Splunk.<br /><br />Appreciate if you can clarify.

Darlas
July 7, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters