Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Cisco AnyConnect Network Visibility Module (NVM) App for Splunk
SHA256 checksum (cisco-anyconnect-network-visibility-module-nvm-app-for-splunk_10346.tgz) 9b87b368eb402f74995eab6282d31e8767e61ee0eb4416e8f3a534d222de805f SHA256 checksum (cisco-anyconnect-network-visibility-module-nvm-app-for-splunk_10243.tgz) f0be35d7e2d7a8b358095281bcd4e5fdcacb8e811f6b675f7de568c8b7dc3b38 SHA256 checksum (cisco-anyconnect-network-visibility-module-nvm-app-for-splunk_10177.tgz) 030a7d7d92d35f631e8790c337a71e19d5598d586fc44fba0edbc9fd499994d2 SHA256 checksum (cisco-anyconnect-network-visibility-module-nvm-app-for-splunk_10140.tgz) 3a41b76523c95c63da1b32625261f632f9e8b6ad6bace0d0a50e670a7824a6a6 SHA256 checksum (cisco-anyconnect-network-visibility-module-nvm-app-for-splunk_1041.tgz) b736461a4d1901f6200c13d3932a49ad135f77f54fb897734a0b6047e8a2e616 SHA256 checksum (cisco-anyconnect-network-visibility-module-nvm-app-for-splunk_13.tgz) b074b6ac488110ade63f296355268ab0043fd2c41660babfd4c7f33d943b1776 SHA256 checksum (cisco-anyconnect-network-visibility-module-nvm-app-for-splunk_102.tgz) 5422af1370242178936cb5b9cc35646dcd7ebf4810bc469e3815028d5998c30c SHA256 checksum (cisco-anyconnect-network-visibility-module-nvm-app-for-splunk_101.tgz) cc7bfc5f1eaf827d428af262aedc14d7cfe0de554653ec056b63c7a4614d83bf SHA256 checksum (cisco-anyconnect-network-visibility-module-nvm-app-for-splunk_10.tgz) eb5b01010ee21870ec46e46d7960935097a8ec54a4b4bcdbc04e5668927c74a1
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Cisco AnyConnect Network Visibility Module (NVM) App for Splunk

The Cisco AnyConnect Network Visibility (NVM) App for Splunk
allows IT administrators to analyze and correlate user and endpoint behavior in Splunk Enterprise. This app provides collection and reporting of IPFIX flows generated by the Cisco AnyConnect Network Visibility Module. This module collects additional context such as user, device, application, location and destination for flows both on and off premise.


Cisco AnyConnect Network Visibility Module (NVM) App for Splunk consists of 2 components:
• The Collector Component which is responsible for collecting and translating all IPFIX (nvzFlow) data from the endpoints and forwarding it to the Splunk App. This is a manually installed add-on for Splunk Enterprise.
• The Splunk App with pre-designed Dashboards to view and analyze the data.


The Application should be installed on the Search Head or Indexer, either through the UI via “Manage Apps” or by extracting the archive into /opt/splunk/etc/apps folder. Please restart the Spunk Server after installation is completed.

After completing this step, refer to the collector installation section below. The collector must be running before data will be available to the Splunk application.

The default configuration receives two data feeds for Splunk, Per Flow Data and Endpoint Identity Data, on UDP ports 20519 and 20520 respectively. This can be changed in the Application Input settings in Splunk if for some reason you needed to change the collector configuration as described below.


The collector runs on 64-bit Linux. CentOS and Ubuntu configuration scripts are included. The CentOS install scripts and configuration files can also be used in Fedora and Redhat distributions as well.

The collector should be run on either a standalone 64-bit Linux system or a Splunk Forwarder running on 64-bit Linux. The solution can also be run on a single 64-bit Linux system that includes both the collector and Splunk Enterprise for demonstration purposes.

In order to install the collector you will need to copy the application in the CiscoNVMCollector_TA.tar file, located in the $APP_DIR$/appserver/addon/ directory to the system you plan to install it on.

Extract the tar file on the system where you plan to install the collector on and execute the script with super user privileges. It is recommended to read the $PLATFORM$_README file in the .tar bundle before executing the script. The $PLATFORM$_README file provides information on the relevant configuration settings that need to be verified and modified (if necessary) before the script is executed. At a minimum, you will need to configure the address of the Splunk instance you will be forwarding data to. Failing to properly configure the system can cause the collector to operate incorrectly.

A collector can handle a minimum of 5000 flows per second on a properly sized system.

The collector needs to be configured and running before the Splunk App can be used.
By default, the collector receives flows from AnyConnect NVM endpoints on UDP port 2055.
Additionally, the collector produces two data feeds for Splunk, Per Flow Data and Endpoint Identity Data, on UDP ports 20519 and 20520 respectively.

Both the receive and data feed ports can be changed by altering the acnvm.conf file and restarting the collector instance. Make sure that any network firewalls between endpoints and the collector or between the collector and Splunk system(s) are open for the configured UDP ports. Also ensure that your AnyConnect NVM configuration matches your collector configuration. Refer to the AnyConnect Administration Guide for more information.

Once both components are installed and running, refer to the Help files section from within the Splunk application for detailed information about the pre-configured reports, data model and information elements that are created by the solution.

After initial setup, you may need to restart one of your AnyConnect endpoints to ensure the initial IPFIX templates are sent to the collector.

Some additional information is available at this Cisco Community Site that you might find useful.


Splunk Developers who are interested in learning more about the AnyConnect NVM protocol and overall solution can go to the Cisco DevNet site for more information.


This app is written and maintained by Cisco (nvzFlow at cisco dot com). No official support is available. Be sure to read the above sections for initial assistance with setup and configuration. See Supplemental End User License for more information.

Release Notes

Version 1.0.346
Dec. 8, 2017

Adds fes and fss (flow start and end time) fields for seconds since epoch

Version 1.0.243
Nov. 16, 2017

Version 1.0.177
Nov. 9, 2017

Add preload templates for nvzflow3

Version 1.0.140
Nov. 6, 2017

Added filtering capabilities for collector.
Improved concurrency support for collector.
Added support for Kafka export.
Added plugin framework to extend export capabilities.

For more information, to see the Help->User Guide in the Splunk app.

Version 1.0.41
Oct. 25, 2017

Version 1.3
May 26, 2017

Fixed collector incompatibility.

Version 1.02
May 16, 2017

Version 1.01
Oct. 21, 2016

Add Network Interfaces dashboard.
Add application-specific metrics to the Applications dashboard.

Version 1.0
Dec. 20, 2015

Cisco AnyConnect Network Visibility App for Splunk. Copyright © 2015 Cisco Systems Inc. All rights reserved.


Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2018 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.