Skip to main content
Version: Atlas v4.6

Install and Configure NETSCOUT App

Solution Overview

The NETSCOUT App is a search-head application that summarizes NETSCOUT data into a KV store collection and a metrics index. The app is configured primarily through macros, and its scheduled searches are responsible for maintaining the summarized data used by the user interface.

Dependencies

NETSCOUT App depends on other Splunk apps for both source data and optional feature integrations.

DependencyRequiredPurpose
NETSCOUT Omnis AI Streamer Add-onYesProvides the NETSCOUT source data used by NETSCOUT App
Splunk Enterprise SecurityOptionalEnables the Not in Assets and Identities Framework check and ES Alerts Integration
Splunk IT Service IntelligenceOptionalEnables ITSI Alerts Integration
Splunk_SA_CIMOptionalUsed in the Not in Splunk check

Required Data

The modern NETSCOUT App experience expects NETSCOUT application-flow data. By default it searches:

  • index=netscoutoais
  • sourcetype=netscout:omnis-application

If your environment uses a different index, sourcetype, or renamed playbook, update the app macros instead of editing searches directly.

Install the NETSCOUT Data Dependency

Install the NETSCOUT Omnis AI Streamer Add-on so that the netscout:omnis-application data searched by NETSCOUT App is available in Splunk. NETSCOUT App does not generate this source data itself; it summarizes and analyzes the data provided by that add-on.

Minimum Fields

The app source defines the following minimum fields for the sourcetype configured in AtlasNetScoutSourcetypes.

These fields are already present in the default NETSCOUT application sourcetype, netscout:omnis-application, which is why it is the recommended default. If you change the macro to point at a custom playbook or renamed sourcetype, that custom data source must still include these fields for NETSCOUT App to function correctly.

Discovery requires:

  • server_host_ip_address
  • client_host_ip_address
  • application_name
  • to_server_packets
  • from_server_packets
  • sum_of_client_latency
  • client_latency_count
  • sum_of_server_latency
  • server_latency_count
  • peak_response_time

IP Investigation additionally requires:

  • successful_transactions
  • failed_transactions
  • timeouts
  • sum_of_all_response_times
  • client_to_server_retries
  • server_to_client_retries
  • client_zero_window
  • server_zero_window
  • ai_sensor_name
  • server_port

Configuration Macros

NETSCOUT App exposes four macros in macros.conf.

MacroDefaultPurpose
AtlasNetScoutIndexesindex=netscoutoaisSelects the NETSCOUT event index or indexes
AtlasNetScoutSourcetypessourcetype=netscout:omnis-applicationSelects the NETSCOUT sourcetype used by the app
AtlasNetScoutMetrics_metricsSelects the metrics index that stores NETSCOUT App summaries
AtlasNetScoutPrivateIPRegexRFC1918-style private IP regex plus loopback/link-local patternsControls Discovery's private vs public IP classification

Scheduled Searches

NETSCOUT App ships with two scheduled summary searches. Both run every five minutes using the schedule 1-59/5 * * * * and summarize the last five minutes of NETSCOUT data.

Saved SearchPurposeOutput
Atlas NETSCOUT DiscoveryMaintains the Discovery lookup and writes high-level trend metricsatlas_netscout_discovery KV store and metrics component AtlasNetScoutMetrics
Atlas NETSCOUT Conversation SummaryMaintains conversation-level metrics used by IP InvestigationMetrics component AtlasNetScoutConversationSummary

Atlas NETSCOUT Discovery

This search:

  • Aggregates packet volume, first seen, last seen, client counts, latency totals, and peak response time by application and server IP
  • Writes the latest merged state into the atlas_netscout_discovery KV store lookup
  • Calculates summary counts for IPs, connections, and volume
  • Writes those summaries to the metrics index with component AtlasNetScoutMetrics

Atlas NETSCOUT Conversation Summary

This search:

  • Buckets activity into 5-minute intervals
  • Summarizes server-to-client conversations by server IP, client IP, application, sensor, and server port
  • Captures performance and reliability metrics such as latency totals, retries, zero-window counts, sessions, and failed connections
  • Writes results to the metrics index with component AtlasNetScoutConversationSummary

Metrics Index Design

The app defaults to _metrics, but the source comments recommend moving to a dedicated metrics index when you need stronger control over retention or role-based access.

NETSCOUT App uses metric searches in two places:

  • Discovery summary sparklines read ips, connections, and volume from component AtlasNetScoutMetrics
  • IP Investigation reads conversation metrics from component AtlasNetScoutConversationSummary

If you move to a dedicated metrics index, update AtlasNetScoutMetrics and make sure users of the app can search that metrics index.

KV Store Collection

Discovery relies on a KV store collection named atlas_netscout_discovery. The corresponding lookup definition uses the same name and stores:

  • application_name
  • ip
  • to_volume
  • from_volume
  • lastactive
  • firstactive
  • clients
  • client_ips
  • sum_of_client_latency
  • client_latency_count
  • sum_of_server_latency
  • server_latency_count
  • max_peak_response_time_usec

If Discovery appears empty while raw data is present, verify that this scheduled search is running successfully and that KV store is healthy.

Private and Public IP Classification

Discovery's Private IP and Public IP filters depend entirely on AtlasNetScoutPrivateIPRegex. If your organization uses non-standard internal ranges or you want to narrow the definition, update this macro.

This configuration affects:

  • Device filtering in Discovery
  • Application filtering in Discovery when applications are associated with private or public servers

Optional Enrichment Sources

Some Discovery filters and IP Investigation alert links depend on optional Splunk apps:

  • Splunk Enterprise Security: Optional. Enables the Not in Assets and Identities Framework check and ES Alerts Integration
  • Splunk IT Service Intelligence: Optional. Enables ITSI Alerts Integration
  • Splunk_SA_CIM: Optional. Used in the Not in Splunk check

The core NETSCOUT workflows still function without these integrations.

Validate the Configuration

After configuring the app, validate it with the following checks:

  1. Search the configured NETSCOUT index and sourcetype and confirm the required fields exist.
  2. Confirm both scheduled searches complete successfully in Splunk scheduler history.
  3. Verify | inputlookup atlas_netscout_discovery returns rows.
  4. Verify | mstats sum(ips) where index=\AtlasNetScoutMetrics` component=AtlasNetScoutMetrics` returns data.
  5. Verify | mstats sum(to_volume) where index=\AtlasNetScoutMetrics` component=AtlasNetScoutConversationSummary by server_ip client_ip` returns data.