Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 7 attack families with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection Mirror / SPAN Mode
Docs
Documentation Quick Start API Reference Agent Setup Your Problems, a Comic
Learn
Free Certifications Mirai Botnet Kill Switch State of DDoS 2026 REPORT DDoS Protection Landscape Hackathon Sponsorships
Company
About Us Partners White Label Managed Protection Contact Us System Status
Legal
Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

All use cases →
Hosting Providers
Protect every node across your fleet. White-label for your customers.
ISPs & Transit
Per-node detection across your backbone. FlowSpec and RTBH in seconds.
MSPs / MSSPs
White-label DDoS monitoring under your brand. New revenue, zero build.
Game Server Hosting
Keep players online during attacks. Per-server protection at $9.99/node.
iGaming & Sportsbooks
Uptime during peak events. Automated mitigation, zero manual intervention.
VoIP & Cloud Calling
Protect SIP trunks and media servers. No call drops during attacks.
Proxy Providers
Per-node port detection and blocking. Keep exit nodes clean.
Game Studios
Launch-day protection for multiplayer backends. Deploy before launch.
Telecom Carriers
Protect core network infrastructure. FlowSpec and RTBH automation.
Esports Small Operators Routers Edge Nodes VPN Providers Media & Streaming SaaS E-Commerce Financial Services GPU & AI Cloud Healthcare Education Government Compliance
Home/Integrations/Splunk
Splunkbase HEC SIEM

Flowtriq for Splunk

Receive DDoS incident data in Splunk via HTTP Event Collector. Pre-built dashboard with severity-colored panels, field extractions, and CIM-compliant tags for seamless integration with Splunk Enterprise Security.

Download from Splunkbase → Start free trial

Setup

Connect in three steps

1. Create an HEC Token in Splunk
Settings > Data Inputs > HTTP Event Collector > New Token Name: flowtriq Source type: flowtriq:incident Index: main (or your preferred index)
2. Configure the webhook in Flowtriq
Dashboard > Settings > Integrations > Add Webhook URL: https://your-splunk:8088/services/collector/event Headers: Authorization: Splunk YOUR_HEC_TOKEN Format: JSON
3. Sample event payload
{ "event": { "incident_id": "inc_abc123", "attack_family": "UDP Flood", "severity": "critical", "target_ip": "203.0.113.10", "peak_bps": 4520000000, "peak_pps": 3200000, "source_ips": ["198.51.100.1", "198.51.100.2"], "mitigation_actions": ["firewall_rule", "bgp_flowspec"], "started_at": "2026-06-24T14:32:00Z" }, "sourcetype": "flowtriq:incident" }

Capabilities

DDoS intelligence in Splunk

Real-Time Incident Feed

Every DDoS incident detected by Flowtriq is forwarded to Splunk via HEC as it happens. No batch delays. Incidents appear in Splunk within seconds of detection.

Severity-Colored Dashboard

The pre-built dashboard uses severity-based coloring for at-a-glance triage. Critical incidents surface immediately. Panels show active attacks, historical trends, and top targeted infrastructure.

Attack Family Breakdown

Incidents are tagged by attack family: UDP floods, TCP SYN floods, DNS amplification, NTP reflection, and more. Filter and correlate by attack type across your infrastructure.

CIM Tagging

All fields map to the Splunk Common Information Model for Network Traffic and Intrusion Detection. Flowtriq data works with your existing correlation searches and Enterprise Security content out of the box.

Bring DDoS visibility into Splunk

Download the add-on from Splunkbase and start receiving incident data in minutes.

Splunkbase → GitHub → Start free trial →
Source on GitHub | Back to Integrations

FAQ

Frequently Asked Questions

How does Flowtriq send data to Splunk?

Flowtriq sends DDoS incident data to Splunk via HTTP Event Collector (HEC). Configure your HEC endpoint URL and token in the Flowtriq dashboard, and incidents are forwarded in real time as structured JSON events.

What sourcetype does the Flowtriq add-on use?

The add-on uses the sourcetype flowtriq:incident. Field extractions are pre-configured for all incident fields including attack_family, severity, source_ips, target_ip, peak_bps, peak_pps, and mitigation_actions.

Can I customize the Splunk dashboard?

Yes. The pre-built dashboard is a standard Splunk XML dashboard that you can clone and modify. It includes panels for active incidents, attack family breakdown, severity distribution, and top targeted IPs. Add or remove panels as needed.

Is the data CIM-compliant?

Yes. The add-on maps Flowtriq fields to the Splunk Common Information Model (CIM) for the Network Traffic and Intrusion Detection data models. This means Flowtriq data works with any CIM-based correlation searches and Enterprise Security content.