The ExtraHop Add-On for Splunk enables you to export ExtraHop wire data metrics as Splunk events. You can export metrics about any activity group, device group, or application on an ExtraHop Discover or Command Appliance. After the Splunk platform indexes the events, you can analyze the data through the dashboards in the ExtraHop App for Splunk or by creating your own visualizations. In addition, the ExtraHop Add-On for Splunk provides a data model for ExtraHop detections sent by the ExtraHop Detection SIEM Connector bundle.
The ExtraHop Add-On for Splunk collects 30-second metrics through the ExtraHop REST API. Dataset metrics are collected for 5th, 25th, 50th, 75th, and 95th percentiles. All events collected by the ExtraHop Add-On for Splunk are assigned the extrahop* source type. All detections collected by the ExtraHop Add-On for Splunk are assigned the extrahop-detection** source type.
Splunk Enterprise 7.0 or later
ExtraHop firmware version 7.1.2 or later
You must have an API key with at least “metrics”:”full” privileges. For more information about ExtraHop REST API keys, see the ExtraHop REST API Guide.
The ExtraHop Add-On for Splunk can be installed on a Splunk search head or heavy forwarder.
For information about installing an add on, see the Splunk Add-Ons documentation.
If you want to connect the add-on to your ExtraHop appliance over a proxy, you must configure proxy settings.
After you install the ExtraHop Add-On for Splunk, we recommend that you install the ExtraHop App for Splunk to help you configure the ExtraHop Add-On. The ExtraHop App creates default inputs to collect metrics about HTTP, DNS, and storage activity and builds dashboards to display that information.
For more information about the ExtraHop App for Splunk, see https://splunkbase.splunk.com/app/3939/.
You must create data inputs that collect information from an ExtraHop appliance to retrieve wire data metrics.
The ExtraHop Add-On for Splunk contains a sourcetype for ExtraHop detections. In order to receive detections in Splunk, you must configure a data input for ExtraHop detections and configure the ExtraHop Detection SIEM Connector on your ExtraHop Command or Discover appliance.
Detection data can be sent from a Command or Discover appliance to Splunk through the syslog protocol. Complete the procedure in the Splunk documentation to get data from a TCP or UDP port. You must set the source type value to extrahop-detection.
Follow the instructions on the ExtraHop Detection SIEM Connector bundle page to configure your ExtraHop appliance to send detections data to Splunk.
If you edit or clone a data input, the API key field is automatically set to a series of asterisks. You must re-enter the API key for the ExtraHop appliance before saving the input.
Why isn’t my data appearing in Splunk?
It might take some time for the your data to be indexed initially by Splunk. Errors for this add-on are logged to the splunkd.log and ta_extrahop_addon_extrahop.log log files.
Added support for ExtraHop detections
Object IDs no longer incorrect in 'extrahop' events (since 1.1.0)
Data for ExtraHop devices and applications now retrieved at ingest time.
(NOTE: This version changes how device data is indexed in Splunk's KV Store.
It may be useful to clean the "TA_extrahop_oiddev" collection,
but it is not necessary. This can be done by running the following command:
$SPLUNK_HOME/bin/splunk clean kvstore -app TA-extrahop_addon -collection TA_extrahop_oiddev
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.