Netflow data is a type of network traffic data that was developed by Cisco but has now become a more generic term for referring to a method of collecting and monitoring traffic generated by network devices, such as routers and switches. A netflow solution consists of a flow generator or exporter, a flow collector, and an analysis application (in this case, Splunk!).
Data visibility
Netflow data is a rich data source with cross functional value to the enterprise. Use cases for basic flow data include monitoring availability, efficiency, and security of networks, hosts, and applications.
Data application
When your Splunk deployment is ingesting netflow data, you can use the data to achieve objectives related to the following use cases:
High-value fields
In the Common Information Model, netflow data is typically mapped to the Network Traffic Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.
dest
Destination of the network traffic (the remote host).
dest_ip
IP address of the destination.
dev_ip
IP address of the device.
dev_mac
Device TCP/IP layer 2 Media Access Control (MAC) address of a packet's destination, such as 06:10:9f:eb:8f:14.
protocol
OSI layer 3 (network) protocol of the traffic observed, written in all lower case.
src
Source of the network traffic (the client requesting the connection).
src_ip
IP address of the source.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.
Data Source |
Sourcetype |
Recommend Add-Ons |
Cisco |
There are many available sourcetypes, depending on what data you need. |
|
NetFlow Logic |
There are many available sourcetypes, depending on what data you need. |
Comments
0 comments
Article is closed for comments.