Updated Splunk Netflow dashboard using Network Topology visualization and Network Toolkit add-ons.

I decided to revisit my Netflow Activity dashboard and make some much-needed improvements. While using this dashboard, I found that only half of the story was being presented by displaying download activity. With the changes I made during this video, this dashboard now allows me to see upload activity across the different devices in my network.

The Netflow Activity dashboard helps me understand activity in my home lab by analyzing netflow data from my OPNsense firewall. This dashboard begins with a simple timechart that shows a trend of average mb_in across all of my devices. I have OPNsense configured to send Netflow v9 data to a Splunk independent stream forwarder, which then sends it to my Splunk indexer.

This dashboard utilizes the Network Topology - Custom Visualization and the Network Toolkit to make it more interactive and enable WHOIS actions on source IP addresses. You will need to have both of these apps installed for the dashboard to function as intended.
Additionally, you will need to adjust the base search of this dashboard to match the index where the netflow data resides. Since this dashboard uses post-processing, you will also need to edit the provided source XML.

I have posted the source XML in my GoSplunk account - https://gosplunk.com/author/thall

Splunk documentation links:

Use drilldown for dashboard interactivity:
https://docs.splunk.com/Documentation...

Network Topology - Custom Visualization:
https://splunkbase.splunk.com/app/3762/

Network Toolkit:
https://splunkbase.splunk.com/app/3491/

Splunk Stream documentation:
https://docs.splunk.com/Documentation...

GoSplunk:
https://gosplunk.com/
https://gosplunk.com/author/thall

OPNsense Netflow Configuration:
https://docs.opnsense.org/manual/netf...