Splunk TA for receiving and analyzing DDoS detection events from Flowtriq.
- Field extractions for the
flowtriq:incidentsourcetype (JSON + regex fallback) - Lookup tables for severity levels and attack family classification
- Event types and tags for Splunk CIM compatibility (
network,ids,attack) - Overview dashboard with attack timeline, top attack types, severity distribution, targeted nodes, and recent incidents
- Splunk Enterprise 8.0+ or Splunk Cloud
- Flowtriq dashboard with the Splunk HEC integration enabled
- A Splunk HEC token configured to accept data
- Copy the
TA-flowtriqdirectory into$SPLUNK_HOME/etc/apps/ - Restart Splunk (
$SPLUNK_HOME/bin/splunk restart) - The app will appear under Apps in the Splunk navigation
- Package the add-on:
tar -czf TA-flowtriq.tar.gz TA-flowtriq/ - Submit the package through Splunk Cloud self-service install or your Splunk Cloud admin
- The
app.manifestis included for Splunk Cloud vetting
cd flowtriq-splunk
tar -czf TA-flowtriq.spl TA-flowtriq/Then install via Apps > Install app from file in the Splunk UI.
- Go to Settings > Data Inputs > HTTP Event Collector
- Click New Token
- Name it (e.g., "Flowtriq")
- Set the Source Type to
flowtriq:incident - Choose or create an index for Flowtriq events
- Save and copy the token value
- In the Flowtriq dashboard, go to Settings > Integrations
- Add a Splunk HEC integration
- Enter:
- URL: Your Splunk HEC endpoint (e.g.,
https://splunk.example.com:8088/services/collector/event) - Token: The HEC token from step 1
- Index: (optional) The index name, or leave blank for the HEC default
- Source Type: Leave as default (
flowtriq:incident)
- URL: Your Splunk HEC endpoint (e.g.,
- Test the connection
- Events will be sent on
attack_startandattack_end
Each event sent to Splunk contains:
| Field | Type | Description |
|---|---|---|
event_type |
string | attack_start or attack_end |
incident_id |
integer | Unique incident identifier |
severity |
string | low, medium, high, or critical |
attack_family |
string | Attack classification (e.g., udp_flood, dns_amplification) |
peak_pps |
integer | Peak packets per second |
peak_bps |
integer | Peak bits per second |
source_ip_count |
integer | Number of distinct source IPs |
confidence |
integer | Detection confidence score |
status |
string | Incident status |
started_at |
string | ISO 8601 start timestamp |
resolved_at |
string | ISO 8601 resolution timestamp (null if ongoing) |
node_name |
string | Name of the monitored node |
node_ip |
string | IP address of the monitored node |
dashboard_url |
string | Direct link to the incident in Flowtriq |
The Flowtriq DDoS Overview dashboard is available under the app and includes:
- Total incident count with color-coded thresholds
- Critical/High incident count
- Peak traffic gauge
- Active node count
- Attack timeline (stacked by severity)
- Top attack types (pie chart)
- Severity distribution (pie chart)
- Top targeted nodes (table with peak traffic stats)
- Recent incidents (table with duration, confidence, and direct links)
All panels support time range and severity filtering.
# All incidents in the last 24 hours
sourcetype="flowtriq:incident" event_type="attack_start" earliest=-24h
# Critical incidents by node
sourcetype="flowtriq:incident" severity="critical" | stats count by node_name
# Attack volume over time
sourcetype="flowtriq:incident" event_type="attack_start" | timechart sum(peak_bps) AS total_bps
# Average attack duration
sourcetype="flowtriq:incident" event_type="attack_end"
| eval duration = strptime(resolved_at, "%Y-%m-%dT%H:%M:%S") - strptime(started_at, "%Y-%m-%dT%H:%M:%S")
| stats avg(duration) AS avg_seconds
| eval avg_duration = tostring(avg_seconds, "duration")
Start your free 14-day trial at flowtriq.com/signup.
Built by Flowtriq - Real-time DDoS detection and mitigation.