Splunk can collect traffic flows and help users get access to traffic information in context of all the other IT data collected.

Traffic flows come in many variants, generally dependent on the network device vendor:

  • NetFlow
  • sFlow
  • jFlow
  • etc.

Splunk has no native NetFlow transport support. However, what a lot of customers are doing, is using one of the following tools to receive the binary NetFlow feed and dump the output in textual form into a file or on STDOUT. That output can then be collected in Splunk:

  • Argus
  • flowd
  • nfdump

An alternative way to handle NetFlow (jFlow, sFlow) in Splunk is with NetFlow Logic's NetFlow Integrator ( NetFlow Integrator, a rule-based NetFlow-to-syslog converter, is capable of processing hundreds of thousands of records per second on standard hardware by applying filtering, aggregation, deduplication, and obfuscation rules, thus reducing the volume of NetFlow traffic that would otherwise be sent to Splunk.

