The ExtraHop Add-On for Splunk enables you to export ExtraHop wire data metrics as Splunk events. You can export metrics about any activity group, device group, or application from an ExtraHop Discover or Command appliance. After the Splunk platform indexes the events, you can analyze the data through the dashboards in the ExtraHop App for Splunk or by creating your own visualizations.
The ExtraHop Add-On for Splunk collects 30-second metrics through the ExtraHop REST API. Dataset metrics are collected for 5th, 25th, 50th, 75th, and 95th percentiles. All events collected by the ExtraHop Add-On for Splunk are assigned the extrahop source type.
$SPLUNK_HOME/etc/apps/TA-extrahop_addon/local/ta_extrahop_addon_settings.conf and add validate_ssl_certificates = 0 under additional_parameters stanza.(NOTE: This version changes how device data is indexed in Splunk's KV Store.
It may be useful to clean the "TA_extrahop_oiddev" collection,
but it is not necessary. This can be done by running the following command:
$SPLUNK_HOME/bin/splunk clean kvstore -app TA-extrahop_addon -collection TA_extrahop_oiddev
)
This app can be set up in two ways:
ExtraHop Add-On for Splunk can be installed through UI using "Manage Apps" > "Install app from file" or by extracting tarball directly into $SPLUNK_HOME/etc/apps/ folder.
To configure Extrahop account, navigate to ExtraHop Add-On for Splunk, click on "Configuration", go to "Accounts" tab, click on "Add" button and fill in the details asked and click "Add". Field descriptions are as below:
| Field Name | Field Description |
|---|---|
Account Name* |
Unique name for your account |
Instance Type * |
Instance type for data collection |
Hostname* |
Hostname of your Extrahop account |
| API Key | API Key corresponding to your Extrahop On-Prem Account |
| Client ID | Client ID corresponding to your Extrahop Cloud Account |
| Client Secret | Client Secret corresponding to your Extrahop Cloud Account |
Navigate to ExtraHop Add-On for Splunk, click on "Configuration", go to the "Proxy" tab, fill in the details asked and click "Save". Field descriptions are as below:
| Field Name | Field Description |
|---|---|
| Enable | Enable/Disable proxy |
Proxy Type* |
Type of proxy |
Host* |
Hostname/IP Address of the proxy |
Port* |
Port of proxy |
| Username | Username for proxy authentication (Username and Password are inclusive fields) |
| Password | Password for proxy authentication (Username and Password are inclusive fields) |
| Remote DNS resolution | Check this box if you want to use Remote DNS resolution |
Note: * denotes required fields
After you install the ExtraHop Add-On for Splunk, we recommend that you install the ExtraHop App for Splunk to help you configure the ExtraHop Add-On. The ExtraHop App creates default inputs to collect metrics about HTTP, DNS, and storage activity and builds dashboards to display that information.
For more information about the ExtraHop App for Splunk, see https://splunkbase.splunk.com/app/3939/.
You must create data inputs that collect information from an ExtraHop appliance to retrieve wire data metrics.
The ExtraHop Add-On for Splunk contains a sourcetype for ExtraHop detections. In order to receive detections in Splunk, you must configure a data input for ExtraHop detections and configure the ExtraHop Detection SIEM Connector on your ExtraHop Command or Discover appliance.
Detection data can be sent from a Command or Discover appliance to Splunk through the syslog protocol. Complete the procedure in the Splunk documentation to get data from a TCP or UDP port. You must set the source type value to extrahop-detection.
Follow the instructions on the ExtraHop Detection SIEM Connector bundle page to configure your ExtraHop appliance to send detections data to Splunk.
Follow the steps mentioned below in order to upgrade your ExtraHop Add-On for Splunk v2.1.0:
This add-on provides the index-time and search-time knowledge for the following types of data from the ExtraHop system:
Extrahop wire data metrics
All ExtraHop wire data metrics have a sourcetype of extrahop.
Extrahop detections
All Extrahop detections have a sourcetype of extrahop-detection.
The ExtraHop Add-On for Splunk contains 2 KV store lookups: the extrahop_deviceoid_lookup and the extrahop_appuuid_lookup.
The extrahop_deviceoid_lookup adds display names, MAC addresses, and IP addresses to ExtraHop events to Splunk.
The extrahop_appuuid_lookup saves ExtraHop appliance UUIDs for the ExtraHop App for Splunk
You can configure the Splunk Event Generator to create sample ExtraHop events through the ExtraHop Add-On for Splunk . Sample event generation is configured through the eventgen.conf file. Sample events retrieve data from the samples directory of the Splunk Event Generator package. For more information about the Splunk Event Generator, see see the Eventgen GitHub page.
Some of the components included in "ExtraHop Add-On for Splunk" are licensed under free or open source licenses. We wish to thank the contributors to those projects. Version 2.1.0 of the ExtraHop Add-On for Splunk incorporates the following third-party software or libraries:
index=_internal sourcetype="taextrahop:log"Note: $SPLUNK_HOME denotes the path where Splunk is installed. Ex: /opt/splunk
Note: $SPLUNK_HOME denotes the path where Splunk is installed. Ex: /opt/splunk
Contact ExtraHop Support for assistance with this app at https://www.extrahop.com/support/
Copyright ExtraHop Networks 2021
$SPLUNK_HOME/etc/apps/TA-extrahop_addon/local/ta_extrahop_addon_settings.conf and add validate_ssl_certificates = 0 under additional_parameters stanza.As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.