NETSCOUT App

The NETSCOUT App is an Atlas application for identifying network-connected assets and investigating their traffic patterns by combining NETSCOUT data with Splunk context. It is designed to help teams move quickly from broad discovery into IP-level investigation without leaving Splunk.

The application ships with two primary experiences:

• Discovery, which summarizes servers, applications, activity volume, and related enrichment into a searchable workspace.
• IP Investigation, which pivots from a selected IP into peer communications, performance indicators, and related alerts.

NETSCOUT App Capabilities

• Discover servers and applications observed in NETSCOUT data.
• Summarize unique IP counts, connection counts, and traffic volume over time.
• Investigate a selected IP's conversations with peers using metrics-backed summaries.
• Highlight optional enrichment such as Splunk forwarding coverage, CIM presence, Enterprise Security asset coverage, and AI-related application activity.
• Surface related notable events and fired alerts alongside IP conversations.
• Deep-link directly into IP Investigation with an ip URL parameter from other Splunk views.

How It Works

NETSCOUT App correlates four primary data sets to provide insights:

1. NETSCOUT Source Data

By default the app searches:

• The index defined by the AtlasNetScoutIndexes macro. Default: index=netscoutoais
• The sourcetype defined by the AtlasNetScoutSourcetypes macro. Default: sourcetype=netscout:omnis-application

This default sourcetype is the primary data source for the modern app experience because it provides the server IP, client IP, application, packet volume, and latency fields required for Discovery and IP Investigation. In practice, this data is expected to come from the NETSCOUT Omnis AI Streamer add-on deployed in Splunk.

2. Discovery Lookup

The scheduled search Atlas NETSCOUT Discovery maintains the atlas_netscout_discovery KV store collection. The Discovery tab reads from this lookup to populate device and application views quickly.

3. Metrics Summaries

NETSCOUT App writes summary metrics into the metrics index defined by AtlasNetScoutMetrics. By default this is _metrics, though a dedicated metrics index is recommended for access control and retention management.

These metrics power:

• Discovery summary trends for unique IPs, total connections, and total volume
• IP Investigation conversation summaries

4. Configurable IP Classification

The AtlasNetScoutPrivateIPRegex macro controls how the app decides whether an IP should be treated as private or public. Discovery uses this macro in its network filters, so environments with special addressing schemes can tune the app without changing code.

Optional Integrations

NETSCOUT App checks for several Splunk apps and uses them when available:

• NETSCOUT Omnis AI Streamer Add-on to provide the NETSCOUT data searched by the app
• Splunk Enterprise Security (Optional): Enables the Not in Assets and Identities Framework check and ES Alerts Integration
• Splunk IT Service Intelligence (Optional): Enables ITSI Alerts Integration
• Splunk_SA_CIM (Optional): Used in the Not in Splunk check

The Omnis AI Streamer add-on is required for NETSCOUT App to have source data. Enterprise Security, ITSI, and Splunk_SA_CIM are optional integrations that enable the related checks and alert integrations above.