Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk network monitoring

perfecto25
Path Finder
‎05-17-2018 08:44 AM

Hello, I am trying to figure out hwo we can use Splunk to monitor and report on our network,

specifically I need to catch network errors for things like,

  1. dropped packets or connections
  2. any kind of network error
  3. blockage by firewall or switch ACL
  4. any other form of connection data

I tried Splunk Stream, which gives us a lot of data of general chatter and bandwidth info, but its not very useful for detecting network errors or troubleshooting problems

Is there an app or examples on how to set something like this up? Thanks.

0 Karma
Reply

NetFlow_Logic
Contributor
‎06-12-2018 05:44 PM

You may need to collect the following data in Splunk:

*>dropped packets or connections
*>any kind of network error

You can get this information from SNMP polling/traps or sFlow counters or certain NetFlow/IPFIX records

*>blockage by firewall or switch ACL
syslogs or NetFlow data

*>any other form of connection data
NetFlow, sFlow, IPFIX

We are a Splunk partner and we provide all this data (except syslog, which is natively ingested by Splunk) with our product - NetFlow Optimizer.

Try it for free by visiting https://www.netflowlogic.com/download/

0 Karma
Reply

solarboyz1
Builder
‎05-18-2018 06:12 AM

Splunk is a data tool, for it to help you with those issues, you would need to provide the information required to identify the issue.

specifically I need to catch network errors for things like,

  1. dropped packets or connections

You will need to define what you mean here, packets are dropped on networks all the time.

  1. any kind of network error

  2. blockage by firewall or switch ACL

  3. any other form of connection data

0 Karma
Reply

solarboyz1
Builder
‎05-18-2018 06:20 AM

What I meant to say:

  1. dropped packets or connections
  2. any kind of network error
  3. blockage by firewall or switch ACL
  4. any other form of connection data

Configure switches/routers/firewall to syslog to your splunk instance.
Install the appropriate apps for the network devices used.

You can install streams and capture the metadata, or configure netflow collectors and send to streams.
All depends on what you have available and what you are trying to do.

But getting the logs from you network devices is probably a good first step and will meet many if not all of your needs.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...