Re: How can I index Netflow?

Dan · ‎06-29-2010

I want to be able to search netflow data to find suspicious conversations (i.e. someone opening a connection and closing it right away). Is there a way to get a netflow feed into Splunk?

NetFlow_Logic · ‎03-10-2014

All previously existing versions of NetFlow Logic Splunk apps have been merged into one NetFlow for Splunk by NetFlow Logic App. See this link http://apps.splunk.com/app/489/

maverick · ‎08-18-2010

Netflow data is binary and, even though you could splunk it like that, it would not be useful in that form inside your Splunk GUI while searching. Therefore, the flow will need to be converted to humanly-readable text first via some NetFlow-2-Text converter, such as the ones mentioned at the "TrafficFlows" link provided in the previous answer.

Once converted to text, however, you could then easily setup Splunk to listen on any open tcp or udp port for incoming converted flow streams and just send the it directly to that port and SPlunk will index it in real time.

NetFlow_Logic · ‎01-21-2013

"Splunk for NetFlow" App is replaced with "NetFlow for Splunk". See this link: http://splunk-base.splunk.com/apps/22328/netflow-for-splunk-powered-by-netflow-integrator

maverick · ‎03-18-2011

See this link for the Splunk for Netflow App: http://splunkbase.splunk.com/apps/All/4.x/app:Splunk+for+NetFlow

rayfoo · ‎06-29-2010

Yes.

http://www.splunk.com/wiki/Apps:TrafficFlows

How can I index Netflow?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...