NetScaler Application Delivery Management service

Integration with Splunk

You can now integrate NetScaler ADM with Splunk to view analytics for:

  • WAF violations

  • Bot violations

  • SSL Certificate Insights

Splunk add-on enables you to:

  • Combine all other external data sources.

  • Provide greater visibility of analytics in a centralized place.

NetScaler ADM collects Bot, WAF, SSL events, and sends to Splunk periodically. The Splunk Common Information Model (CIM) add-on converts the events to CIM compatible data. As an administrator, using the CIM compatible data, you can view the events in the Splunk dashboard.

For a successful integration, you must:

Configure Splunk to receive data from NetScaler ADM

In Splunk, you must:

  1. Setup the Splunk HTTP event collector endpoint and generate a token

  2. Install the Splunk Common Information Model (CIM) add-on

  3. Prepare a sample dashboard in Splunk

Setup the Splunk HTTP event collector endpoint and generate a token

You must first setup the HTTP event collector in Splunk. This setup enables the integration between the ADM and Splunk to send the WAF or Bot data. Next, you must generate a token in Splunk to:

  • Enable authentication between ADM and Splunk.

  • Receive data through the event collector endpoint.

  1. Log on to Splunk.

  2. Navigate to Settings > Data Inputs > HTTP event collector and click Add new.

  3. Specify the following parameters:

    1. Name: Specify a name of your choice.

    2. Source name override (optional): If you set a value, it overrides the source value for HTTP event collector.

    3. Description (optional): Specify a description.

    4. Output Group (optional): By default, this option is selected as None.

    5. Enable indexer acknowledgement: By default, this option is not selected.

      Event collector parameters

  4. Click Next.

  5. Optionally, you can set additional input parameters in the Input Settings page.

  6. Click Review to verify the entries and then click Submit.

    A token gets generated. You must use this token when you add details in NetScaler ADM.

    Splunk token

Install the Splunk Common Information Model

In Splunk, you must install the Splunk CIM add-on. This add-on ensures that the data received from Citrix ADM to normalize the ingested data and match a common standard using the same field names and event tags for equivalent events.


You can ignore this step if you have already installed the Splunk CIM add-on.

  1. Log on to Splunk.

  2. Navigate to Apps > Find More Apps.

    Splunk find more apps

  3. Type CIM in the search bar and press Enter to get the Splunk Common Information Model (CIM) add-on, and click Install.

    Splunk CIM

Prepare a sample dashboard in Splunk

After you install the Splunk CIM, you must prepare a sample dashboard using a template for WAF and Bot, and SSL Certificate Insights. You can download the dashboard template (.tgz) file, use any editor (for example, notepad) to copy its contents, and create a dashboard by pasting the data in Splunk.


The following procedure to create a sample dashboard is applicable for both WAF and Bot, and SSL Certificate Insights. You must use the required json file.

  1. Log on to Citrix downloads page and download the sample dashboard available under Observability Integration.

  2. Extract the file, open the json file using any editor, and copy the data from the file.


    After you extract, you get two json files. Use adm_splunk_security_violations.json to create the WAF and Bot sample dashboard, and use adm_splunk_ssl_certificate.json to create the SSL certificate insight sample dashboard.

  3. In the Splunk portal, navigate to Search & Reporting > Dashboards and then click Create New Dashboard.

    Create dashboard

  4. In the Create New Dashboard page, specify the following parameters:

    1. Dashboard Title - Provide a title of your choice.

    2. Description - Optionally, you can provide a description for your reference.

    3. Permission - Select Private or Shared in App based on your requirement.

    4. Select Classic Dashboard and then click Create.

      Dashboard parameters

    After you click Create, the Edit Dashboard page is displayed.

  5. Click the Source tab, delete the existing data, and paste the data that you copied in step 2.

  6. Click Save.

    A notification prompts you to refresh the page for the changes to take effect.


  7. Click Refresh to get the sample dashboard ready.

    You can view the following sample dashboard in your Splunk.

    Sample dashboard

Configure NetScaler ADM to export data to Splunk

You now have everything ready in Splunk. The final step is to configure NetScaler ADM by creating a subscription and adding the token.

Upon completion of the following procedure, you can view the updated dashboard in Splunk that is currently available in your NetScaler ADM:

  1. Log on to NetScaler ADM.

  2. Navigate to Settings > Ecosystem Integration.

  3. In the Subscriptions page, click Add.

  4. In the Select features to subscribe tab enables you to select the features that you want to export and click Next.

    • Realtime Export - The selected violations are exported to Splunk immediately.

    • Periodic Export - The selected violations are exported to Splunk based on the duration you select.

      Select features

  5. In the Specify export configuration tab:

    1. End Point Type – Select Splunk from the list.

    2. End Point – Specify the Splunk end point details. The end point must be in the https://SPLUNK_PUBLIC_IP:SPLUNK_HEC_PORT/services/collector/event format.


      It is recommended to use HTTPS for security reasons.

      • SPLUNK_PUBLIC_IP – A valid IP address configured for Splunk.

      • SPLUNK_HEC_PORT – Denotes the port number that you have specified during the HTTP event endpoint configuration. The default port number is 8088.

      • Services/collector/event – Denotes the path for the HEC application.

    3. Authentication token – Copy and paste the authentication token from the Splunk page.

    4. Click Next.

      Create subscription

  6. In the Subscribe page:

    1. Export Frequency – Select Daily or Hourly from the list. Based on the selection, NetScaler ADM exports the details to Splunk.


      Applicable only if you have selected violations in Periodic Export.

    2. Subscription Name – Specify a name of your choice.

    3. Select the Enable Notifications check box.

    4. Click Submit.



      • When you configure with Periodic Export option for the first time, the selected features data get pushed to Splunk immediately. The next export frequency happens based on your selection (daily or hourly).

      • When you configure with Realtime Export option for the first time, the selected features data pushed to Splunk immediately as soon as the violations are detected in NetScaler ADM.

View dashboards in Splunk

After you complete the configuration in NetScaler ADM, the events appear in Splunk. You are all set to view the updated dashboard in Splunk without any additional steps.

Go to Splunk and click the dashboard that you have created to view the updated dashboard.

The following is an example for the updated WAF and Bot dashboard:

Updated dashboard

The following dashboard is an example for the updated SSL Certificate Insights dashboard.

SSL certificate