Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Citrix NetScaler with AppFlow
MD5 checksum (citrix-netscaler-with-appflow_500.tgz) 8f66b4b66a13a0ab103e8b38639dcb72 MD5 checksum (citrix-netscaler-with-appflow_48.tgz) b109b585b069fad3a36e4e55354a2cbf MD5 checksum (citrix-netscaler-with-appflow_47.tgz) 1754047c23434660734a98df7cd703cc MD5 checksum (citrix-netscaler-with-appflow_464.tgz) 750a89c52997bb70d512e6b56a261f49 MD5 checksum (citrix-netscaler-with-appflow_463.tgz) a3ec42254d13f3c2e71d2ccce8ad2d61 MD5 checksum (citrix-netscaler-with-appflow_462.tgz) d18993087baca7271c09e15256ddf3d2 MD5 checksum (citrix-netscaler-with-appflow_461.tgz) c8082366b9d08b6ba9eb3a8b5ba7400e MD5 checksum (citrix-netscaler-with-appflow_46.tgz) b02d16c1f22a755cabf459bc828935c2 MD5 checksum (citrix-netscaler-with-appflow_45.tgz) d6e7219ea100817ac32241256c617fc5 MD5 checksum (citrix-netscaler-with-appflow_44.tgz) a9d0f65c358e3aec0a2ae310b0b00102 MD5 checksum (citrix-netscaler-with-appflow_43.tgz) b5de1ea80c882a698f77d1a889cc1d5e MD5 checksum (citrix-netscaler-with-appflow_42.tgz) 634acbc18daef5529ec80a7435d5ad22 MD5 checksum (citrix-netscaler-with-appflow_41.tgz) 54b69768fb700d423efdfe0880941991 MD5 checksum (citrix-netscaler-with-appflow_11.tgz) 256c3d13a98928794aa00a95159286d1 MD5 checksum (citrix-netscaler-with-appflow_10.tgz) 8e2e81e10f02017a70847f613fafff08 MD5 checksum (citrix-netscaler-with-appflow_00.tgz) 8e2e81e10f02017a70847f613fafff08
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Citrix NetScaler with AppFlow

The Splunk for Citrix NetScaler app is a set of field extractions, reports, lookups and dashboards which provide visibility into the Citrix NetScaler AppFlow, Application Firewall and VPN data. This app is configured to work with version 9.x of the Citrix NetScaler.

Support for this content

This app is not officially supported by Splunk Support. If you have a current Splunk Enterprise Support entitlement, Splunk will provide best-effort support for cases involving this app directly, but such cases will not be subject to the Splunk Enterprise Support SLA.


The Splunk for Citrix NetScaler app is a set of field extractions, reports, lookups and dashboards which provide visibility into the Citrix NetScaler AppFlow, Application Firewall and VPN data. This app is configured to work with version 9.x of the Citrix NetScaler.

The Splunk App for NetScaler with AppFlow translates binary AppFlow data to time- stamped ASCII text, so Splunk can utilize it and put it in context of all other data in the environment such as custom application log data, logs and metrics data of application components such as web servers, application servers, databases, firewalls, hypervisors and more. With added visibility into NetScaler and Appflow data, systems administrators and application support professionals are able to get central visibility into their entire environment and are able to correctly identify performance bottlenecks that lead to user experience issues. In addition to being able to detect and troubleshoot application performance issues faster, administrators can also visualize baselines, trends and other analytics that can help them plan capacity and make transactions more efficient for a better customer experience.
Splunk’s powerful visualization provides real-time views and role-appropriate dashboards on the state of key application performance and availability metrics. The flexibility and universality of Splunk allows you to put your operational data in a business context to allow richer, more informed business decision making. It also allows you to integrate in non-IT data to provide value added analysis that support the organization’s business objectives.

Splunk App for NetScaler with AppFlow— Dashboards and Reports

The Splunk App for NetScaler with AppFlow contains over 30 reports for situational awareness and dashboards supporting key business and security performance indicators (KPIs). Key reports available include:

HTTP user agent: shows you which platforms are most commonly used to access your web application

Most requested URLs: allows you to prioritize your response time optimization

Source and destination IPs and ports: gives you real time insight into the origins of your traffic

Average transaction times and round trip response times: allows you to monitor end user service levels

Traffic analysis by applications/servers: includes analysis of latencies and bandwidth usage

Load balancing dashboard: provides views of total bytes transferred by source destination and protocol

Web application firewall dashboard: shows violations by type over time, violations by IP address and the URL of the web page attacked.

SSL-VPN dashboard Critical Statistics dashboard: indicates the number of HTTP transactions URI, virtual server, user and host trended over time.

System Audit dashboard: depicts system console events and tracking commands/changes by user.

Reports from Splunk can be downloaded in PDF or Excel format and data ranges are fully supported. Reports can also be scheduled for delivery to individuals as PDFs. The Splunk App for Citrix NetScaler supports core Splunk functionality such as the ability to drill-down into raw log data from graphical elements and robust role-based access control.

Getting Started

For this app to work your Citrix NetScaler data must be extracting fields correctly. The Field Extractions included in this app are configured for the NetScaler v 9.0 and higher.

Upgrading from versions prior to 5.0.x

  1. On your Splunk server, remove the following:
    • $SPLUNK_HOME/etc/apps/Splunk_TA_NSIndexer
    • $SPLUNK_HOME/etc/apps/Splunk_TA_IPFIX_UDP_NIX (if applicable)
    • $SPLUNK_HOME/etc/apps/Splunk_TA_IPFIX_UDP_WIN (if applicable)
  2. Follow the rest of the installation instructions below.
  3. When uploading the installer file, make sure the "Upgrade app" is selected.


  1. Install the separate Splunk Add-on for IPFIX modular input. This input is required to collect AppFlow data.
  2. Click Download on this page. The SplunkforCitrixNetScaler-x.x.x.tar.gz installer file downloads to your computer.
  3. Log into Splunk Web.
  4. Click Apps > Manage Apps.
  5. Click Install App from File.
  6. Upload the SplunkforCitrixNetScaler-x.x.x.tar.gz installer file.
  7. Restart Splunk.

More Information

If you want to query NetScaler data using Data Models, then download and install the Common Information Model app.

Release Notes

Version 5.0.0
Sept. 5, 2014

Support for NetScaler version 10.x
Dashboards converted to Simple XML
Splunk CIM Compliance
Requires separate IPFIX collector

Version 4.8
Feb. 8, 2013

For this app to work your Citrix NetScaler data must be extracting fields correctly. The Field Extractions included in this app are configured for the NetScaler v 9.

To configure the app please set the sourcetype of your NetScaler logs to ns_log. If your data has already been indexed under a different sourcetype you will need to create a sourcetype alias for ns_log

To install the app, unpack this file into $SPLUNK_HOME/etc/apps and restart.

The indexing portion of this app has been split from the main app. This is found in the /appserver/addons/NS_Indexer directory. Copy that into $SPLUNK_HOME/etc/apps on your indexer and restart

Install videos:

*** AppFlow Configuration ***

The configuration file (ipfix.conf) is located in the app's "default" directory, which is $SPLUNK_HOME/etc/apps/Splunk_TA_IPFIX_UDP/default/ipfix.conf . The appflow dashboards and reports rely on the sourcetype=appflow.

Version 4.7
Feb. 20, 2012

- Update to use JavaScript chart, instead of Flash chart (so now the app supported iOS devices).

Version 4.6.4
Feb. 14, 2012

- Fixed permissions in default.meta

Version 4.6.3
Feb. 1, 2012

- Fixed a bug when incoming AppFlow records are incomplete.
- Added a new field 'templateId' for easily searching records with a specific AppFlow Template ID.

Version 4.6.2
Oct. 17, 2011

- Fixed bug: Duplicate Application names in AppFlow Traffic Analysis dashboards.

Version 4.6.1
Sept. 8, 2011

Fix bug with the error caused by the python script when parsing appflow traffic.

Version 4.6
Aug. 13, 2011

Fix bug with the lookup table issue.

Version 4.5
Aug. 9, 2011

Add lookup for appID (e.g. Virtual Server name) and minor interface changes.

Version 4.4
Aug. 3, 2011

This release updates the NetScaler Overview dashboard and the AppFlow Security dashboard.

Version 4.3
Aug. 1, 2011

This version includes new dashboards under AppFlow menu and bug fixes.

*** NOTE: There is a bug in Paginator components of AppFlow dashboards. For example, it may show that you have 10 pages of result data, but actually, you have only 1 or 2 pages of the result data, while the rest of the pages are blank. Hopefully, the bug will be fixed by the next version of the app.

Version 4.2
June 28, 2011

Added AppFlow Support
Added support for TCP syslog

Version 4.1
Dec. 7, 2010

created new dashboard schema using time pickers.

Version 1.1
Aug. 25, 2010

Fixed field extraction issue.
Fixed reporting fields issue

Version 1.0
Aug. 16, 2010

Updating file extensions

Version 0.0
Aug. 16, 2010


Subscribe Share

Splunk Certification Program

Splunk's App Certification program uses a specific set of criteria to evaluate the level of quality, usability and security your app offers to its users. In addition, we evaluate the documentation and support you offer to your app's users.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2017 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.