Dashboards and reports on Network Traffic events in Splunk.
| Author | Aplura, LLC |
| App Version | 1.2.5 |
| App Build | 32 |
| Creates an index | False |
| Implements summarization | No |
| Summary Indexing | False |
| Data Model Acceleration | If Enabled |
| Data Model | Network Traffic |
| Report Acceleration | False |
| Splunk Enterprise versions | 9.1, 9.0 |
| Platforms | Splunk Enterprise, Splunk Cloud |
This App provides the following scripts:
| Diag.py | For use with the diag command. |
| version.py | Contains the version of the extension. |
| app_properties.py | Contains different app properties. |
Very often, network traffic events can provide a lot of information about misconfigurations, potential attacks, and user activity. This app provides searches and dashboards based on the Splunk Common Information Model to help provide insight into your network traffic.
This app requires data model acceleration, which will use additional disk space. If you are using the Splunk App for Enterprise Security, this is already enabled, and should have been factored into your retention policies. If not, you should review the documentation on data model acceleration, how it uses disk space, and how to plan for it.
As mentioned above, the app uses the CIM for network traffic events. The CIM allows you to take events from a number of network traffic sources or products, and report on them in one cohesive manner, using a common set of names for fields and event types.
The Network Traffic data model includes both src, dest fields, and src_ip, dest_ip fields. For this app, we have opted to use the *_ip versions of these fields, in case hostnames are being used for the other fields. Make sure your field extractions are correctly populating these fields.
Provides a general overview of the network traffic events.
Provides information around an IP address (both dest_ip and src_ip), including traffic from, to, and possible open ports.
Information around the transport field of events (TCP, UDP, ICMP, etc.).
This form provides information based on the destination port (dest_port) field of events, such as the traffic over time, conversations, and sources.
Currently just top destinations (external and from external to internal). The determination on internal vs. external is configured by macros. See the App Configuration Macros section of this document.
This dashboard provides the top potential scanners (both host and port scanners) based on network traffic.
This is based on the geo-ip information provided by the built-in IP location from Splunk. Internal traffic is excluded from this page.
<div class="note"> The searches on this page may take a while to load. </div>A form which allows for searching network traffic events based on a few different parameters.
This dashboard provides an overview of VPN traffic that has been observed. This dashboard uses accelerated data models and macros. Please make sure you accelerate the Network Traffic and Network Sessions data models. It is possible that there are different values for action and signature. This app expects signature=login, signature=logout, action=success or action=failure.
This dashboard provides field information from the data models used to retrieve data for this application. Included information includes indexes and sourcetypes found in the data model. This dashboard also shows fields and constraints in the data models.
Information about the sourcetypes which are present in the accelerated data.
<div class="note"> This dashboard is not shown in the navigation bar. To view this dashboard, go to `Settings` → `User Interface` → `Views` → and select the `Open` option next to the `sourcetype_information` item in the list. </div>A simple HTML version of this document.
<div class="note"> This dashboard is not shown in the navigation bar. To view this dashboard, go to `Settings` → `User Interface` → `Views` → and select the `Open` option next to the `About` item in the list. </div>Configure PAVO Network Traffic App for Splunk
PAVO Network Traffic App for Splunk contains the following lookup files.
PAVO Network Traffic App for Splunk does not include an event generator.
Summary Indexing: No
Data Model Acceleration: If Enabled
Report Acceleration: No
Added VPN and data transparency dashboards
Update titles on dashboards
Documentation and Rename
Initial Release
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.