icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

End User License Agreement for Third-Party Content

Splunk Websites Terms and Conditions of Use

Thank You

Downloading ExtraHop Add-On for Splunk
SHA256 checksum (extrahop-add-on-for-splunk_120.tgz) 40ad3897f813e83a3d4ce709093fe33913382526832ec4cc85b03aba633bc92d SHA256 checksum (extrahop-add-on-for-splunk_111.tgz) 40f528157397aacf0d8f9c16a632395d9a740106a39454f48c9171139397aa93
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

ExtraHop Add-On for Splunk

Splunk AppInspect Passed
Overview
Details
The ExtraHop Add-On for Splunk enables you to export ExtraHop wire data metrics as Splunk events. You can export metrics about any activity group, device group, or application on an ExtraHop Discover or Command Appliance. After the Splunk platform indexes the events, you can analyze the data through the dashboards in the ExtraHop App for Splunk or by creating your own visualizations.

About

The ExtraHop Add-On for Splunk enables you to export ExtraHop wire data metrics as Splunk events. You can export metrics about any activity group, device group, or application on an ExtraHop Discover or Command Appliance. After the Splunk platform indexes the events, you can analyze the data through the dashboards in the ExtraHop App for Splunk or by creating your own visualizations. In addition, the ExtraHop Add-On for Splunk provides a data model for ExtraHop detections sent by the ExtraHop Detection SIEM Connector bundle.

The ExtraHop Add-On for Splunk collects 30-second metrics through the ExtraHop REST API. Dataset metrics are collected for 5th, 25th, 50th, 75th, and 95th percentiles. All events collected by the ExtraHop Add-On for Splunk are assigned the extrahop* source type. All detections collected by the ExtraHop Add-On for Splunk are assigned the extrahop-detection** source type.

Requirements

Splunk Requirements
Splunk Enterprise 7.0 or later

ExtraHop Requirements
ExtraHop firmware version 7.1.2 or later

You must have an API key with at least “metrics”:”full” privileges. For more information about ExtraHop REST API keys, see the ExtraHop REST API Guide.

Installation Instructions

The ExtraHop Add-On for Splunk can be installed on a Splunk search head or heavy forwarder.

For information about installing an add on, see the Splunk Add-Ons documentation.

Configure proxy settings

If you want to connect the add-on to your ExtraHop appliance over a proxy, you must configure proxy settings.

  1. On the Splunk Web home screen, click the ExtraHop Add-On for Splunk icon in the navigation bar to launch the add-on.
  2. Click Configuration.
  3. On the Proxy tab, configure proxy settings.

Install the ExtraHop App for Splunk

After you install the ExtraHop Add-On for Splunk, we recommend that you install the ExtraHop App for Splunk to help you configure the ExtraHop Add-On. The ExtraHop App creates default inputs to collect metrics about HTTP, DNS, and storage activity and builds dashboards to display that information.

For more information about the ExtraHop App for Splunk, see https://splunkbase.splunk.com/app/3939/.

Create metric inputs for the ExtraHop Add-On for Splunk

You must create data inputs that collect information from an ExtraHop appliance to retrieve wire data metrics.

  1. On the Splunk Web home screen, click the ExtraHop Add-On for Splunk icon in the navigation bar to launch the add-on.
  2. Click Inputs.
  3. Click Create New Input.
  4. In the Add ExtraHop Add-On for Splunk window, specify settings for the input
    Note: Each input can only collect metrics for a single metric category. If you want to collect metrics for multiple categories, you must create multiple inputs.
  5. Click Add.

Create a data input for detections

The ExtraHop Add-On for Splunk contains a sourcetype for ExtraHop detections. In order to receive detections in Splunk, you must configure a data input for ExtraHop detections and configure the ExtraHop Detection SIEM Connector on your ExtraHop Command or Discover appliance.

Configure a data input in Splunk

Detection data can be sent from a Command or Discover appliance to Splunk through the syslog protocol. Complete the procedure in the Splunk documentation to get data from a TCP or UDP port. You must set the source type value to extrahop-detection.

Configure the ExtraHop Detection SIEM Connector

Follow the instructions on the ExtraHop Detection SIEM Connector bundle page to configure your ExtraHop appliance to send detections data to Splunk.

Known issues

If you edit or clone a data input, the API key field is automatically set to a series of asterisks. You must re-enter the API key for the ExtraHop appliance before saving the input.

Troubleshooting FAQ

Why isn’t my data appearing in Splunk?

It might take some time for the your data to be indexed initially by Splunk. Errors for this add-on are logged to the splunkd.log and ta_extrahop_addon_extrahop.log log files.

Release Notes

Version 1.2.0
April 24, 2019

Added support for ExtraHop detections
Version 1.1.1
Feb. 14, 2019

Object IDs no longer incorrect in 'extrahop' events (since 1.1.0)
Data for ExtraHop devices and applications now retrieved at ingest time.

(NOTE: This version changes how device data is indexed in Splunk's KV Store.
It may be useful to clean the "TA_extrahop_oiddev" collection,
but it is not necessary. This can be done by running the following command:
$SPLUNK_HOME/bin/splunk clean kvstore -app TA-extrahop_addon -collection TA_extrahop_oiddev
)
56
Installs
426
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
This version has not passed Splunk AppInspect.
This version has not passed Splunk AppInspect.
This version has not passed Splunk AppInspect.
This version has not passed Splunk AppInspect.
This version has not passed Splunk AppInspect.
This version has not passed Splunk AppInspect.
This version has not passed Splunk AppInspect.
This version has not passed Splunk AppInspect.
Built by
ExtraHop Networks
Support
Developer Supported
Contact Developer Questions on Splunk Answers Flag as inappropriate
Compatibility
Products: Splunk Enterprise Products: Splunk Enterprise
Splunk Versions: 7.2, 7.1, 7.0 Platform: Platform Independent Splunk Versions: 7.2, 7.1, 7.0 Platform: Platform Independent
Licensing
End User License Agreement for Third-Party Content
Category & Contents
Categories: Security, Fraud & Compliance, IT Operations
App Type: Add-on
Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Learn More

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Submit Your App Dev Resources
Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Sitemap | Contact | Careers | Privacy | Terms of Use | Export Control | Report a Problem
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.