This app is not officially supported by Splunk Support. If you have a current Splunk Enterprise Support entitlement, Splunk will provide best-effort support for cases involving this app directly, but such cases will not be subject to the Splunk Enterprise Support SLA.
The Splunk for Citrix NetScaler app is a set of field extractions, reports, lookups and dashboards which provide visibility into the Citrix NetScaler AppFlow, Application Firewall and VPN data. This app is configured to work with version 9.x of the Citrix NetScaler.
The Splunk App for NetScaler with AppFlow translates binary AppFlow data to time- stamped ASCII text, so Splunk can utilize it and put it in context of all other data in the environment such as custom application log data, logs and metrics data of application components such as web servers, application servers, databases, firewalls, hypervisors and more. With added visibility into NetScaler and Appflow data, systems administrators and application support professionals are able to get central visibility into their entire environment and are able to correctly identify performance bottlenecks that lead to user experience issues. In addition to being able to detect and troubleshoot application performance issues faster, administrators can also visualize baselines, trends and other analytics that can help them plan capacity and make transactions more efficient for a better customer experience.
Splunk’s powerful visualization provides real-time views and role-appropriate dashboards on the state of key application performance and availability metrics. The flexibility and universality of Splunk allows you to put your operational data in a business context to allow richer, more informed business decision making. It also allows you to integrate in non-IT data to provide value added analysis that support the organization’s business objectives.
The Splunk App for NetScaler with AppFlow contains over 30 reports for situational awareness and dashboards supporting key business and security performance indicators (KPIs). Key reports available include:
HTTP user agent: shows you which platforms are most commonly used to access your web application
Most requested URLs: allows you to prioritize your response time optimization
Source and destination IPs and ports: gives you real time insight into the origins of your traffic
Average transaction times and round trip response times: allows you to monitor end user service levels
Traffic analysis by applications/servers: includes analysis of latencies and bandwidth usage
Load balancing dashboard: provides views of total bytes transferred by source destination and protocol
Web application firewall dashboard: shows violations by type over time, violations by IP address and the URL of the web page attacked.
SSL-VPN dashboard Critical Statistics dashboard: indicates the number of HTTP transactions URI, virtual server, user and host trended over time.
System Audit dashboard: depicts system console events and tracking commands/changes by user.
Reports from Splunk can be downloaded in PDF or Excel format and data ranges are fully supported. Reports can also be scheduled for delivery to individuals as PDFs. The Splunk App for Citrix NetScaler supports core Splunk functionality such as the ability to drill-down into raw log data from graphical elements and robust role-based access control.
For this app to work your Citrix NetScaler data must be extracting fields correctly. The Field Extractions included in this app are configured for the NetScaler v 9.0 and higher.
Support for NetScaler version 10.x
Dashboards converted to Simple XML
Splunk CIM Compliance
Requires separate IPFIX collector http://apps.splunk.com/app/1801/
For this app to work your Citrix NetScaler data must be extracting fields correctly. The Field Extractions included in this app are configured for the NetScaler v 9.
To configure the app please set the sourcetype of your NetScaler logs to ns_log. If your data has already been indexed under a different sourcetype you will need to create a sourcetype alias for ns_log
To install the app, unpack this file into $SPLUNK_HOME/etc/apps and restart.
The indexing portion of this app has been split from the main app. This is found in the /appserver/addons/NS_Indexer directory. Copy that into $SPLUNK_HOME/etc/apps on your indexer and restart
*** AppFlow Configuration ***
The configuration file (ipfix.conf) is located in the app's "default" directory, which is $SPLUNK_HOME/etc/apps/Splunk_TA_IPFIX_UDP/default/ipfix.conf . The appflow dashboards and reports rely on the sourcetype=appflow.
- Fixed permissions in default.meta
- Fixed a bug when incoming AppFlow records are incomplete.
- Added a new field 'templateId' for easily searching records with a specific AppFlow Template ID.
- Fixed bug: Duplicate Application names in AppFlow Traffic Analysis dashboards.
Fix bug with the error caused by the python script when parsing appflow traffic.
Fix bug with the lookup table issue.
Add lookup for appID (e.g. Virtual Server name) and minor interface changes.
This release updates the NetScaler Overview dashboard and the AppFlow Security dashboard.
This version includes new dashboards under AppFlow menu and bug fixes.
*** NOTE: There is a bug in Paginator components of AppFlow dashboards. For example, it may show that you have 10 pages of result data, but actually, you have only 1 or 2 pages of the result data, while the rest of the pages are blank. Hopefully, the bug will be fixed by the next version of the app.
Added AppFlow Support
Added support for TCP syslog
created new dashboard schema using time pickers.
Fixed field extraction issue.
Fixed reporting fields issue
Updating file extensions
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.