We recently released Splunk App - NetFlow-based Network Monitoring. It enables Splunk users to examine the network traffic passing through network devices in real time. This App works with the NetFlow Integrator, a rule-based technology, which allows to filter, aggregate, deduplicate, and do other processing, and converting data to Syslog message in key=value format and forward it to Splunk.
The rule created for this App allows Splunk users to view traffic by NetFlow producer, by link (a link is defined as a pair of ingress and egress interfaces identified by their respective SNMP indexes), and by protocol.
In Rel 1.1 a new view was added that shows the average packet size per link for a selected time period. An unexpected drop in packet size (packet fragmentation) could be an indication of a problem on the network or an attack.
Post your feedback, interesting ideas, and rules you want to see implemented to make NetFlow Integration more useful!
The app is available at: http://splunk-base.splunk.com/apps/43328/netflow-based-network-monitoring-beta
I've been toying with the idea of using Splunk to do NetFlow but I've gotten used to the power and flexibility of using a purpose built NBAD solution. The NetFlow analysis capabilities seem underdeveloped in the Splunk app. What about layer 7 visibility, Network RTT, Response Time, Server Delay, Client Delay, topology, host pair and ports reporting, and network diagram mapping of connections or sessions? Just to name a few.
Thank you for your feedback. Layer 7 visibility is coming in March with our Palo Alto Network NetFlow support. Most of other features are on our roadmap. Ports reporting is available today as a configurable option. If you need any additional assistance, or have question, feel free to contact us at: https://netflowlogic.zendesk.com/home or firstname.lastname@example.org