Skip to main content
Version: Atlas v4.6

Using NETSCOUT App

Application Overview

The NETSCOUT App has two main tabs in the Home view:

  1. Discovery
  2. IP Investigation

Discovery

Discovery summarizes the devices and applications that NETSCOUT App has observed from the atlas_netscout_discovery lookup and companion metrics summaries. Leveraging the Discovery Filters, a user will be able to filter the list to identify devices and applications that may be Shadow IT, or lack Splunk or NETSCOUT visibility. Using this dashboard, an IT team will be empowered to validate and control their vast ecosystem.

Time Range

The Discovery tab supports these global time ranges:

  • Last 15 minutes
  • Last 60 minutes
  • Last 4 hours
  • Last 24 hours
  • Last 7 days
  • Last 30 days

This time range controls both the Discovery tables and the summary trend metrics shown at the top of the page.

Modes

Discovery has two modes:

  • Devices shows individual IPs and their associated metadata
  • Applications shows application-level summaries across observed traffic

Discovery Summary

The summary cards at the top of the page display:

  • Devices Identified or Applications Identified
  • Total Unique IPs
  • Total Connections
  • Total Volume

The trend visualizations are sourced from the metrics index through the AtlasNetScoutMetrics macro.

Device View

In Devices mode, the Discovery leverages IP addresses to list hosts in the environment meeting selected use cases. This mode supports three column layouts:

  • Discovery
  • Performance
  • Custom

The Device table includes the following core fields:

  • IP address
  • Name
  • Shadow IT tags
  • Applications
  • Connections
  • Volume
  • Average client latency
  • Average server latency
  • Maximum peak response
  • First activity
  • Last activity

If additional fields are present in the summarized results, NETSCOUT App adds them as optional dynamic columns.

You can pivot to IP Investigation by:

  • Clicking the investigation icon next to an IP
  • Double-clicking a device row

Application View

In Applications mode, the Discovery table will focus on applications identified in the NETSCOUT and Splunk data. The table summarizes:

  • Application name
  • Shadow IT tags
  • Server count
  • Client count
  • Volume
  • Average client latency
  • Average server latency
  • Maximum peak response
  • First activity
  • Last activity

Discovery Filters

Discovery includes several filter groups that enable the user to filter the Discovery table to selected enrichment options.

Applications

  • A multi-select list built from the application values currently present in Discovery results

Network

  • Private IP
  • Public IP

These network filters are driven by the AtlasNetScoutPrivateIPRegex macro.

Default Enrichment Filters

The current app source defines these default enrichment filters:

  • No Splunk Logs: Flags assets with no corroborating Splunk log presence outside of NETSCOUT. When available, this also checks forwarding data and CIM data models.
  • Not in Enterprise Security: Flags assets not present in the ES Assets and Identities context. This filter only appears when Splunk Enterprise Security is installed.
  • Not in Netscout: Flags assets missing NETSCOUT presence in the Discovery enrichment logic.
  • AI Activity: Flags applications or devices associated with common generative AI services such as OpenAI, ChatGPT, Gemini, Claude, Anthropic, or Hugging Face.

IP Investigation

IP Investigation provides a focused workflow for a selected IP address. It combines a communication graph with a conversation table and alert context. Leveraging the IP Investigation page, an IT team will be able to gain clarity in how hosts are communicating across their system, leveraging NETSCOUT data for traffic details, while identifying relevant Splunk alerts tagged to those IPs.

Selecting an IP

The IP selector accepts:

  • IPs selected from Discovery
  • Previously investigated IPs in the current session
  • IPs found in the conversation summary metrics
  • Manually entered IPv4 or IPv6 addresses

If an IP is valid, NETSCOUT App adds it to the investigation list and loads the matching conversation summaries.

IP Communication Graph

The IP Communication graph shows the currently selected IP and its related peers. You can change how the graph groups or compares traffic using the controls above the visualization.

Group By Options

  • NETSCOUT Sensor
  • Server Port
  • Application
  • Subnet /24
  • None

Metric options

  • Packet Volume
  • Latency
  • Success Rate
  • Total Transactions
  • Timeout Count
  • Failed Connections
  • New Sessions
  • Active Sessions
  • Peak Response Time
  • Selected IP Retransmission %
  • Peer Retransmission %
  • Selected IP Resource Exhaustion %
  • Peer Resource Exhaustion %

Selecting a peer in the graph filters the view to that connection. Use Clear to remove the peer filter.

Conversations Table

The conversation table appears below the graph and summarizes the selected IP's communication with each peer.

The table includes:

  • IP
  • Inbound packets
  • Outbound packets
  • Application(s)
  • Latency
  • Success rate
  • AI sensor name(s)
  • Alerts

Selecting a peer row highlights that relationship and filters the graph. NETSCOUT App also inserts a summary row for the selected IP itself so you can review alerts tied directly to the investigation target, not just its peers.

The table toolbar includes:

  • A last-updated timestamp based on the latest successful run of the two NETSCOUT App scheduled searches
  • A search field that filters both conversation data and expanded alert text
  • Standard table display controls

Alerts and Row Expansion

The Alerts column shows counts from three sources:

  • ES for Enterprise Security notable events
  • ITSI for ITSI tracked alerts
  • SPLUNK for fired alerts discovered through Splunk's alert history

Enterprise Security must be installed for ES alert counts and drilldowns to appear. IT Service Intelligence must be installed for ITSI alert counts and drilldowns to appear.

Clicking the Alerts cell or using the row expansion control expands the row and loads the related event list on demand. Expanded rows show:

  • The source of each alert
  • The alert or event title
  • A direct link to open the corresponding ES, ITSI, or Splunk alert view in a new tab when a matching link is available

If no events are found, the row displays No Alerts.

Linking Directly to IP Investigation

You can link directly to IP Investigation from any Splunk dashboard, table, or HTML view by passing an ip URL parameter and setting the tab parameter to ip-investigation.

Relative URL Format

/app/atlas_netscout/home?tab=ip-investigation&ip=10.20.30.40

Example with a Dashboard Token

<link target="_blank">/app/atlas_netscout/home?tab=ip-investigation&amp;ip=$row.ip$</link>

Notes

  • Use the locale-prefixed form if your Splunk deployment requires it, for example /en-US/app/atlas_netscout/home?tab=ip-investigation&ip=10.20.30.40
  • URL-encode IPv6 addresses when building links
  • If the supplied IP is valid, NETSCOUT App will open the IP Investigation tab and load that IP automatically