For telecommunications service providers, the ability to gain granular insights into network behavior has become a fundamental requirement for organisations striving for operational excellence and resilience. These organisations need the tools to effectively monitor and analyse network performance, reliability, and security in near real-time. Telco networks are complex, multi-layered systems, encompassing various domains such as the radio access network (RAN), the transport network, the core network, and the service layer. Each domain layer incorporates equipment from multiple OEMs like Cisco, Ericsson, Huawei, and Nokia etc and thus presents unique monitoring challenges due to diverse technologies, vendor-specific implementations, and the sheer volume of data generated. Effectively monitoring these layers requires a holistic approach that can correlate data from disparate sources to provide a unified view of network performance and health.
Splunk can help address these challenges by providing a platform that can ingest and process data from these diverse sources. By enabling a unified cross domain view of the network, Splunk allows telcos to:
This blog aims to provide a comprehensive guide on how Splunk can be employed to effectively collect network telemetry data from telecommunication network devices. The subsequent sections will delve into various data collection methodologies, the network protocols it supports, the availability of out-of-the-box connectors or relevant applications, strategies for managing the high data volumes characteristic of telco environments, and pertinent case studies illustrating Splunk's application in this area.
Splunk provides several established methods for collecting network data, each offering distinct advantages depending on the specific data required and the capabilities of the network devices. These methods cater to various data sources and architectural preferences within telecommunication environments.
The Universal Forwarder is a lightweight agent that can be installed directly on network devices or on intermediary servers. Its primary function is to collect data from diverse sources, such as system logs and application logs, as well as performance metrics, and securely forward this data to Splunk indexers for processing and analysis. The Universal Forwarder is compatible with a wide range of operating systems, including Linux and Windows, which are commonly found within telecommunication infrastructures.
The HTTP Event Collector (HEC) offers a secure and efficient method for sending application events and logs directly to Splunk over HTTP or HTTPS protocols. HEC utilises a token-based authentication model, ensuring secure data transmission. This method is particularly well-suited for custom applications that may be running on network equipment or within management systems. Notably, HEC is designed to handle high volumes of events, making it appropriate for the potentially large data streams encountered in telco networks.
Splunk Connect for Syslog (SC4S) presents a modern, containerised approach to syslog data ingestion. SC4S is essentially a pre-configured syslog server (based on syslog-ng) encapsulated within a container. This framework simplifies the process of collecting syslog data from a multitude of network devices by providing a standardised ingestion pipeline.
Splunk Connect for SNMP (SC4SNMP) provides a similarly modern, containerised solution for gathering SNMP data from network devices. Deployed at the network edge, SC4SNMP is designed for high availability and seamless integration with Splunk Enterprise, Splunk Cloud, and Splunk Infrastructure Monitoring. A key advantage of SC4SNMP is its ability to provide context-rich information about the interfaces and performance metrics of network devices without requiring users to manually construct SNMP queries.
The OpenTelemetry Collector offers a technology-agnostic approach to receiving, processing, and exporting telemetry data, encompassing logs, metrics, and traces. The Collector operates based on a pipeline concept, with receivers to gather data, processors to manipulate it, and exporters to send it to backend systems like Splunk. The Splunk Distribution of the OpenTelemetry Collector extends the open-source project by including components tailored for specific vendors and platforms, facilitating data collection from diverse environments. A significant benefit of OpenTelemetry is its ability to standardise observability data formats, thereby minimising vendor lock-in.
Finally, Splunk Stream is an application designed to capture network packet data, including valuable protocols like NetFlow and IPFIX. Through deep packet inspection, Splunk Stream can extract a wealth of protocol attributes from the captured network traffic. This capability makes it highly relevant for real-time traffic analysis, security monitoring, and gaining granular insights into network communications.
The availability of these diverse ingestion methods underscores Splunk's flexibility in accommodating the wide array of data sources and protocols prevalent in telecommunication networks. Organisations can select the most appropriate method based on the specific type of data, the capabilities of their network devices, and their unique monitoring objectives. Furthermore, the increasing prominence of containerised solutions like SC4S and SC4SNMP reflects a broader trend towards modern, scalable, and more easily managed data collection architectures, which are particularly advantageous in the large and dynamic environments typical of telecommunications.
Here's a breakdown of commonly used protocols and collection methods for network data:
Protocol | Method | Data Collected | Common Use Cases in Telco Networks | Splunk Collection Methods |
Syslog (UDP/TCP) | Network devices send system logs to Splunk. | Device status, events, errors | Operational events, security alerts, debugging information from network devices and management systems. | Splunk Connect for Syslog (SC4S), Universal Forwarder listening on Syslog port, potential need for vendor-specific TAs for parsing |
SNMP (Polling and Traps) | Splunk polls devices for performance metrics. | Interface statistics, CPU/ memory usage | Device health and performance monitoring (CPU, memory, interface statistics), configuration retrieval. | Splunk Connect for SNMP (SC4SNMP), Universal Forwarder with SNMP modular input, NetFlow and SNMP Analytics for Splunk App. |
NetFlow (v5, v9), IPFIX | Devices send network traffic flow information. | Source/destination IPs, ports, traffic volume | Network traffic analysis, bandwidth monitoring, capacity planning, security investigations, identifying traffic patterns. | Splunk Stream App, potentially with vendor-specific configurations or TAs, NetFlow and SNMP Analytics for Splunk App, Atlas ITSI Content Pack for Netflow. |
Streaming Telemetry (gRPC, Protocol Buffers) | Devices push data to Splunk in real-time. | Real-time, granular data | High-frequency, timely insights | |
Packet Capture (PCAP) | Splunk analyses captured network traffic. | Detailed packet-level information | Deep troubleshooting, security analysis | |
Vendor-Specific APIs (HTTP/HTTPS) | Splunk integrates with vendor APIs. | Device-specific data | Interacting with web-based management interfaces, data export via REST APIs (if supported). | HTTP Event Collector (HEC) for API data, potentially scripted inputs for scraping web interfaces. |
Log Files (SSH) | Splunk ingests device log files. | Operational data, historical records | Rich source of contextual information | |
Diameter/Radius | Splunk collects authentication and accounting data. | User authentication, authorisation, and accounting information. | Crucial for mobile network management (LTE, 5G) |
The following table summarises the Splunk network telemetry collection methods by OEM:
OEM | Primary Telemetry Protocols Supported | Recommended Splunk Collection Methods | Relevant Splunk Apps/Add-ons |
Ericsson | Syslog, SNMP | Syslog forwarding to Universal Forwarder/Syslog server, SNMP polling/traps, HEC (if supported) | No OOTB add-ons available |
Nokia | Syslog, SNMP, gNMI | Syslog forwarding to Universal Forwarder/Syslog server, SNMP polling/traps, gNMI integration (potentially via gateway), NSP via HEC | NSP application log forwarding |
Cisco | Syslog, SNMP, NetFlow/IPFIX, gRPC/NETCONF | Syslog forwarding to Universal Forwarder/SC4S, SNMP polling/traps, NetFlow/IPFIX collection, Model-Driven Telemetry integration | Cisco Networks App for Splunk Enterprise, Cisco Networks Add-on for Splunk Enterprise |
Juniper | Syslog, SNMP, NetFlow/IPFIX, JTI (gRPC/OpenConfig), Webhooks | Syslog forwarding to Universal Forwarder, SNMP polling/traps, NetFlow/IPFIX collection, JTI/gRPC integration, Webhooks via HEC | Splunk Add-on for Juniper |
Fortinet | Syslog, SNMP, FortiTelemetry | Syslog forwarding to Universal Forwarder/Syslog server, SNMP polling/traps | Fortinet FortiGate App for Splunk, Fortinet FortiGate Add-On for Splunk |
F5 | Syslog, SNMP, iControl REST API, Telemetry Streaming (HTTP/HTTPS), HSL | Syslog forwarding to Universal Forwarder/SC4S, SNMP polling/traps, iControl REST API via add-on, Telemetry Streaming via HEC | Splunk Add-on for F5 BIG-IP, F5 Analytics App |
Extreme Networks | Telemetry | Various Integrations, check with Vendor Website, not listed on splunkbase | TCP Input,Stream Netflow IngestSyslog, App archived on splunkbase |
Arista | Telemetry | Vendor Integration on Splunkbase | Arista Networks Telemetry App For Splunk |
Infoblox | Asset Information | Vendor Integration | Infoblox Gridmanager Networks Input App for Splunk |
Here's a more detailed look at methods to get data into Splunk, with some additional suggestions:
To effectively set up and optimise Splunk for collecting network telemetry data, several recommendations and best practices should be followed:
Splunk helps global telcos manage their complex network operations effectively, these case studies highlight the platform's versatility and the tangible benefits it provides to telco organisations.
Telenor, a major telecommunications service provider, has successfully deployed Splunk to enhance incident investigation, streamline troubleshooting processes, and bolster its security posture. The implementation of Splunk has led to benefits such as quicker and easier resolution of business-critical issues, enhanced security capabilities, and increased overall service availability. Telenor's network operations team utilises Splunk dashboards to visualise network health and proactively monitors for error events and unusual patterns.
CenturyLink (now Lumen Technologies) has also adopted Splunk for mission-critical monitoring, achieving improved executive-level visibility into their IT and business operations and significantly reducing incident resolution times. Splunk has enabled CenturyLink to centralise monitoring across a complex environment involving both in-house and third-party applications. The platform provides real-time insights into the performance and errors within their billing system, which has streamlined operations for their DevOps personnel. Moreover, Splunk has empowered their call centers with real-time dashboards, allowing them to independently assess their performance and identify procedural issues, reducing their reliance on IT for initial problem assessment.
These case studies collectively demonstrate that Splunk is a well-established and proven solution for a wide range of applications within the telecommunications industry. The successes reported by companies like Telenor and CenturyLink underscore the practical advantages of using Splunk to manage the complexities of modern telecom infrastructures, leading to tangible improvements in incident response, service availability, and overall operational efficiency. This makes Splunk a strategic asset for achieving comprehensive observability and driving data-driven decision-making in the telecommunications landscape.
To learn more about Splunk for communications service providers visit our website or contact your Splunk representative.
Regards,
Gaurav Gupta
Industry Strategist (Telco & Retail)
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.