Most of the dashboards under Bandwidth by Hosts (but not all) rely on syslog with nfc_id=20067.
Queries in these dashboards begin with macro: `netflow_search_rule_20067`. This macro is:
[netflow_search_rule_20067]
definition = `netflow_index` nfc_id=20067
Because the fields in syslog 20967 and 20067 have a lot of common fields, you may change the above macro as follows.
[netflow_search_rule_20067]
definition = `netflow_index` nfc_id=20967
You can create these entries in macros.conf in your $SPLUNK_ROOT/etc/apps/netflow/local/ directory to override corresponding entries in $SPLUNK_ROOT/etc/apps/netflow/default/.
There is another place on the dashboards where "20067" is used:
pct_of_total(pct, "20067", TrafficAmount)
You need to change it where applicable to:
pct_of_total(pct, "20967", TrafficAmount)
If you want to use "Connections by ..." dashboards - they rely on syslogs with nfc_id=20063, so you need to make the same change in $SPLUNK_ROOT/etc/apps/netflow/local/macros.conf:
[netflow_search_rule_20063]
definition = `netflow_index` nfc_id=20967
and make the following change in corresponding dashboards:
pct_of_total(pct, "20967", TrafficAmount)
You need to restart Splunk for these changes to take effect.
1 Comments