Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading IxFlow
MD5 checksum (ixflow_140.tgz) 19ef2569451355b5225da6cf8d67d67b MD5 checksum (ixflow_11.tgz) ac0b4a69dedc87d04907c7f59f65d1b6 MD5 checksum (ixflow_101.tgz) 5e5a81d6bb6edeabebff75e71e3c9695 MD5 checksum (ixflow_10.tgz) 7067ee6499a34cec38237bd284813c06
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

IxFlow

Overview
Details
The IxFlow application for Splunk allows Ixia Application & Threat Intelligence Processor (ATIP) flow data to be indexed and reported in Splunk.

The IxFlow application for Splunk allows Ixia Application & Threat Intelligence Processor (ATIP) flow data to be indexed and reported in Splunk.

(This app has been tested in Splunk Enterprise 6.4 running ontop of Ubuntu 14.04 64-bit Server.)

You can add IxFlow App for Splunk via the 'Browse More Apps' section of the Splunk GUI, or using Splunk CLI

The default listener port for IxFlow is UDP 4739, you may need to change this collectin port in the IxFlow app to match the port number used by the Ixia ATIP (IxFlow exporter). Other paramters such as data rollover can also be adjusted. To do so, edit the following file from the command line.
cd /opt/splunk/etc/apps/ixflow_app/bin
sudo nano ixflow.sh
then run it
sudo ./ixflow.sh

If you encounter the following error message after running ixflow.sh (directory ixflow-cap does not exist) then create that directory and then run the script again. This is a know issues which sometime occurs, it will be fixed in the next IxFlow app release.
cd /opt/splunk/etc/apps/ixflow_app
sudo mkdir ixflow-cap

The Ixia ATIP must be properly configured to generate & forward IxFlow (i.e. Ixia enhanced Netflow) records (to the IxFlow App for Splunk). Please consult Ixia ATIP documentaion for details.

The entire list of fields we support is:
L7 Application Name - Application name, truncated at 128 characters.
Source IP Country Code - 2 Letter country code for the source IP address
Source IP Country Name - Country name for the source IP address. Truncated at 128 characters.
Source IP Region Code - 2 Letter region code for the source IP address
Source IP Region Name - Region name for the source IP address. Truncated at 128 characters.
Source IP City Name - City name for the source IP address. Truncated at 128 characters.
Source IP Latitude - Latitude for the source IP address
Source IP Longitude - Longitude for the source IP address
Destination IP Country Code - 2 Letter country code for the destination IP address. Truncated at 128 characters.
Destination IP Country Name - Country name for the destination IP address. Truncated at 128 characters.
Destination IP Region Code - 2 Letter region code for the destination IP address. Truncated at 128 characters.
Destination IP Region Name - Region name for the destination IP address. Truncated at 128 characters.
Destination IP City Name - City name for the destination IP address. Truncated at 128 characters.
Destination IP Latitude - Latitude for the destination IP address
Destination IP Longitude - Longitude for the destination IP address
OS Device Name - String containing OS name, truncated at 128 characters.
Browser Name - Unique Name for each browser type
Reverse Octet Delta Count - When exporting bidirectional flows, this field contains the byte count for the server back to the client side of the connection
Reverse Packet Delta Count - When exporting bidirectional flows, this field contains the packet count for the server back to the client side of the connection
SSL Connection Encryption Type - When SSL decryption is enabled, the encryption type:
'Encrypted' - flow encrypted and was not decrypted
'Decrypted' - flow encrypted and was decrypted by ATIP
'Cleartext' - flow not encrypted
SSL Encryption Cipher Name - For decrypted flows only, the name of the cipher used for decryption. Truncated at 128 characters.
SSL Encryption Key Length - For decrypted flows only, the bit length of the key used
User Agent - The user agent sent in the request HTTP header, truncated at 128 characters.
Host Name - The hostname field sent in the request HTTP header, truncated at 128 characters.
URI - The URI sent in the request HTTP header, truncated at 128 characters.
DNS - The DNS TXT field sent as part of a DNS request/response, truncated at 128 characters.

Release Notes

Version 1.4.0
July 7, 2016

The IxFlow application for Splunk allows Ixia Application & Threat Intelligence Processor (ATIP) flow data to be indexed and reported in Splunk.
Release 1.4.0 adds the 'Indicators of Compromise' fields:
- userAgent
- hostName
- URI
- dnsTxt

Supports:
Linux 64bit
Linux 32bit

See Details tab for further configuration notes

Version 1.1
June 29, 2015

The IxFlow application for Splunk allows Ixia Application & Threat Intelligence Processor (ATIP) flow data to be indexed and reported in Splunk.
Release 1.1 adds:
bgpSource
bgpDestination
observationDomainID
portID

Supports:
Linux 64bit
Linux 32bit
Mac OS X

Version 1.01
May 13, 2014

The IxFlow application for Splunk allows Ixia Application & Threat Intelligence Processor (ATIP) flow data to be indexed and reported in Splunk.

Supports:
Linux 64bit
Linux 32bit
Mac OS X

Version 1.0
May 9, 2014

The IxFlow application for Splunk allows Ixia Application & Threat Intelligence Processor (ATIP) flow data to be indexed and reported in Splunk.

1) Prerequisites: The app requires an Ixia NTO unit equipped with the new ATIP card, the Ixia ATIP generates the IxFlow (enhanced netflow) traffic that is indexed and reported on by the Splunk IxFlow application. The ATIP card required Ixia NTO release 4.0.3 or newer. The Ixia ATIP must be configured with a netflow destination ip address of the Splunk server where the IxFlow application is installed. The Splunk server must be able to accept traffic on the netflow port number (by default UDP port 4739, but configurable on ATIP)

2) Target Platform: The IxFlow app is intended to be used with Splunk 6.0 or newer. The app is designed to run on Linux OS.

3) Installation: Install the app using the Splunk platform; Go to Manager -> Apps -> Install App from File - Browse for the "ixflow_app.spl" file - Click Upload - The Splunk Framework detects that it needs to restarts itself - Click to Restart Splunk After installation the app label is visible and can be run within the Splunk Platform "App" tab.

4) Configuration: the app starts with no settings required. However though the script configure.sh located in the folder folder $SPLUNK_HOME/etc/apps/ixflow_app the application parameters can be changed. Among the most important changeable parameters there are : the UDP port number, number of days to maintain logs .

5) Using the App: the following view are available in IxFlow

a. Top Talkers Source / Dest IPs
b. Top Applications
c. Top Dynamic Apps
d. Top Browsers
e. Top Devices
f. Source/Destination Countries
g. Source/Destination Regions
h. Source/Destination Cities
i. Geographic Map

Time period for the data may be changed via the drop down in the top left corner.

6) Troubleshooting: If the IxFlow app does not behave as expected run/rerun the script ./configure.sh located in the folder $SPLUNK_HOME/etc/apps/ixflow_app

4
Installs
305
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.