The Cisco Stealthwatch Data Exporter allows users to take flow data from the Stealthwatch system to be processed and stored by their own application.


The Cisco Stealthwatch Data Exporter is a reference implementation client for the Stealthwatch Flow Forwarder. The Flow Forwarder does the following:

  • Consumes flow events from the Stealthwatch Flow Collector.

  • Sends stitched, de-duplicated flow records over a secure web socket to clients.

The flow records are converted to java.io.ByteBuffer containing protocol buffer representations of external flow. The Data Exporter reads the ByteBuffer and translates the information to a plain string. See "Supported NetFlow Fields" for the data provided in the string.

Note: As an alternative to developing your own Data Exporter client application, you can purchase the Cisco Stealthwatch Flow Export Service. This service helps customers obtain and transfer Stealthwatch flow records into their big data platform. Using this service shortens the time to deployment of a scalable flow adaptation implementation in your environment. Contact Steathwatch Customer Success for more information.

Integration with Third Party Applications

The Data Exporter can be integrated with third party applications, such as Splunk, to view the exported information. For example, Splunk can read the plain string obtained by the protobuf log file as structured data. Once the data is indexed in Splunk, users can search, filter, and display the flow data in a variety of ways. Refer to the third party application’s documentation for configuration details.


The Data Exporter is hosted on GitHub. Go here to download the client: https://github.com/CiscoDevNet/stealthwatch-data-exporter

System Requirements

The client requires: