ExtraHop Add-On for Splunk
Overview
Details
About
The ExtraHop Add-On for Splunk enables you to export ExtraHop wire data metrics as Splunk events. You can export metrics about any activity group, device group, or application on an ExtraHop Discover or Command Appliance. After the Splunk platform indexes the events, you can analyze the data through the dashboards in the ExtraHop App for Splunk or by creating your own visualizations.
The ExtraHop Add-On for Splunk collects 30-second metrics through the ExtraHop REST API. Dataset metrics are collected for 5th, 25th, 50th, 75th, and 95th percentiles. All events collected by the ExtraHop Add-On for Splunk are assigned the extrahop source type.
Requirements
Splunk Requirements
Splunk Enterprise 7.0 or later
ExtraHop Requirements
ExtraHop firmware version 7.1.2 or later
You must have an API key with at least “metrics”:”full” privileges. For more information about ExtraHop REST API keys, see the ExtraHop REST API Guide.
Installation Instructions
The ExtraHop Add-On for Splunk can be installed on a Splunk search head or heavy forwarder.
For information about installing an add on, see the Splunk Add-Ons documentation.
Configure proxy settings
If you want to connect the add-on to your ExtraHop appliance over a proxy, you must configure proxy settings.
- On the Splunk Web home screen, click the ExtraHop Add-On for Splunk icon in the navigation bar to launch the add-on.
- Click Configuration.
- On the Proxy tab, configure proxy settings.
Install the ExtraHop App for Splunk
After you install the ExtraHop Add-On for Splunk, we recommend that you install the ExtraHop App for Splunk to help you configure the ExtraHop Add-On.
The ExtraHop App adds additional information to the data that the ExtraHop Add-On collects, including the IP addresses, MAC addresses, and hostnames of devices discovered by ExtraHop. The app also creates default inputs to collect metrics about HTTP, DNS, and storage activity and builds dashboards to display that information.
For more information about the ExtraHop App for Splunk, see https://splunkbase.splunk.com/app/3939/.
Create inputs for the ExtraHop Add-On for Splunk
You must create data inputs that collect information from an ExtraHop appliance.
- On the Splunk Web home screen, click the ExtraHop Add-On for Splunk icon in the navigation bar to launch the add-on.
- Click Inputs.
- Click Create New Input.
- In the “Add ExtraHop Add-On for Splunk” window, specify settings for the input
Note: Each input can only collect metrics for a single metric category. If you want to collect metrics for multiple categories, you must create multiple inputs. - Click Add.
Known issues
If you edit or clone a data input, the API key field is automatically set to a series of asterisks. You must re-enter the API key for the ExtraHop appliance before saving the input.
Troubleshooting FAQ
Why isn’t my data appearing in Splunk?
It might take some time for the your data to be indexed initially by Splunk. Errors for this add-on are logged to the splunkd.log and ta_extrahop_addon_extrahop.log log files.
Release Notes
Version 1.1.1
Object IDs no longer incorrect in 'extrahop' events (since 1.1.0)
Data for ExtraHop devices and applications now retrieved at ingest time.
(NOTE: This version changes how device data is indexed in Splunk's KV Store.
It may be useful to clean the "TA_extrahop_oiddev" collection,
but it is not necessary. This can be done by running the following command:
$SPLUNK_HOME/bin/splunk clean kvstore -app TA-extrahop_addon -collection TA_extrahop_oiddev
)