Very often, network traffic events can provide a lot of information about misconfigurations, potential attacks, and user activity. This app provides searches and dashboards based on the Splunk Common Information Model to help provide insight into your network traffic.
This app requires data model acceleration, which will use additional disk space. If you are using the Splunk App for Enterprise Security, this is already enabled, and should have been factored into your retention policies. If not, you should review the documentation on data model acceleration, how it uses disk space, and how to plan for it. This documentation can be found in the Splunk Enterprise Knowledge Manager Manual.
As mentioned above, the app uses the CIM for network traffic events. The CIM allows you to take events from a number of sources or products, and report on them in one cohesive manner, using a common set of names for fields and event types.
Network Traffic data model includes both
dest fields, and
dest_ip fields. For this app, I have opted to use the
_ip versions of these fields, in case hostnames are being used for the other fields. Make sure your field extractions are correctly populating these fields.
Below are the dashboards available within the app.
Provides a general overview of the network traffic events.
Provides information around an IP address (both
src_ip), including traffic from, to, and possible open ports.
Information around the
transport field of events (TCP, UDP, ICMP, etc.).
This form provides information based on the destination port (
dest_port) field of events, such as the traffic over time, conversations, and sources.
Currently just top destinations (external and from external to internal). The determination on internal vs. external is configured by macros. See the App Configuration Macros section of this document.
This dashboard provides the top potential scanners (both host and port scanners) based on network traffic.
This is based on the geo-ip information provided by the built-in IP location from Splunk. Internal traffic is excluded from this page. Note: The searches on this page may take a while to load.
A form which allows for searching network traffic events based on a few different parameters.
Note: This dashboard is not shown in the navigation bar. To view this dashboard, go to
User Interface ->
Views -> and select the
Open option next to the
sourcetype_information item in the list.
This app has been tested with Splunk versions 6.4.x. This app should be installed on the same search head on which the
network_traffic data model has been accelerated.
This app depends on data models included in the Splunk Common Information Model Add-on, specifically the
NetworkTraffic data model. Information on installing and using the Splunk Common Information Model Add-on can be found in the Common Information Model Add-on Manual, as well as tag and field requirements for the Network Traffic data model.
Information on configuring the acceleration on the data model can be found in the Knowledge Manager Manual.
The Splunk Common Information Model Add-on can be downloaded from Splunkbase. This app has been tested with versions 4.5 of the CIM add-on.
In order to make the app respond and load quickly, accelerated data models are used to provide summary data. For this data to be available, the
Network_Traffic data model must be accelerated. Information on how to enable acceleration for the
Network_Traffic data model can be found in the Knowledge Manager Manual.
This app should be installed on a search head where the
Network_Traffic data model has been accelerated. More information on installing or upgrading Splunk apps can be found here: <http: docs.splunk.com="" documentation="" splunk="" latest="" admin="" wheretogetmoreapps="">
Note: This app will require a restart of Splunk.
Network_Trafficdata model (skip if you are installing on an ES search head).
This app may require some configuration before it will work properly (outside of the configuration of the Data Model Acceleration). In particular, you may need to edit the configuration macros, as well as the dropdown which populates the
Device dropdown found on many of the dashboards.
This macro contains the search which is used to populate the
Devices dropdown found on many of the dashboards. By default this is the auto-generated lookup, however, the macro can be edited to point to another lookup as needed.
This macro contains a partial search which determines when a network traffic event's destination IP address is external to your network. By default this will exclude private IP addresses, but can be edited to reflect your own network configuration. Note: this search snippet is used in searches using the accelerated data models and the tstats command. While the normal SPL does support CIDR,
tstats does not. Make sure your search syntax will work with the
This macro contains a partial search which determines when a network traffic event's source IP address is external to your network. By default this will exclude private IP addresses, but can be edited to reflect your own network configuration. Note: this search snippet is used in searches using the accelerated data models and the tstats command. While the normal SPL does support CIDR,
tstats does not. Make sure your search syntax will work with the
For the "Device" dropdown, present on many of the dashboards, you can use the auto-generated lookup, which runs every morning at 2 am.
Network_Traffic data model is populated, you can run the saved search
network_traffic_dvc_auto_gen to populate the dropdown.
The lookup has two fields:
device_name can be a description of the device.
dvc can be wild-carded (not CIDR, as that is not available in
tstats searches used with the accelerated data models). The search used to populate this dropdown can be configured using the
Support for this app is provided on a best-effort basis. We have released this app for free, and want to help solve issues, and add features, but we also have day-jobs.
Need help? Use the Splunk community resources! I can be found on many of them:
The git repo for this app is located here.
* Removed backup directory from views directory
* Removed README from views directory
* Removed local.meta
* Removed default csv file for device dropdown
* Edited README.md to fix section on the device dropdown
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.