The ExtraHop Add-On for Splunk enables you to export ExtraHop wire data metrics as Splunk events. You can export metrics about any activity group, device group, or application on an ExtraHop Discover or Command Appliance. After the Splunk platform indexes the events, you can analyze the data through the dashboards in the ExtraHop App for Splunk or by creating your own visualizations.
The ExtraHop Add-On for Splunk collects 30-second metrics through the ExtraHop REST API. Dataset metrics are collected for 5th, 25th, 50th, 75th, and 95th percentiles. All events collected by the ExtraHop Add-On for Splunk are assigned the extrahop source type.
Splunk Enterprise 7.0 or later
ExtraHop firmware version 7.1.2 or later
You must have an API key with at least “metrics”:”full” privileges. For more information about ExtraHop REST API keys, see the ExtraHop REST API Guide.
The ExtraHop Add-On for Splunk can be installed on a Splunk search head or heavy forwarder.
For information about installing an add on, see the Splunk Add-Ons documentation.
If you want to connect the add-on to your ExtraHop appliance over a proxy, you must configure proxy settings.
After you install the ExtraHop Add-On for Splunk, we recommend that you install the ExtraHop App for Splunk to help you configure the ExtraHop Add-On.
The ExtraHop App adds additional information to the data that the ExtraHop Add-On collects, including the IP addresses, MAC addresses, and hostnames of devices discovered by ExtraHop. The app also creates default inputs to collect metrics about HTTP, DNS, and storage activity and builds dashboards to display that information.
For more information about the ExtraHop App for Splunk, see https://splunkbase.splunk.com/app/3939/.
You must create data inputs that collect information from an ExtraHop appliance.
If you edit or clone a data input, the API key field is automatically set to a series of asterisks. You must re-enter the API key for the ExtraHop appliance before saving the input.
Why isn’t my data appearing in Splunk?
It might take some time for the your data to be indexed initially by Splunk. Errors for this add-on are logged to the splunkd.log and ta_extrahop_addon_extrahop.log log files.
Object IDs no longer incorrect in 'extrahop' events (since 1.1.0)
Data for ExtraHop devices and applications now retrieved at ingest time.
(NOTE: This version changes how device data is indexed in Splunk's KV Store.
It may be useful to clean the "TA_extrahop_oiddev" collection,
but it is not necessary. This can be done by running the following command:
$SPLUNK_HOME/bin/splunk clean kvstore -app TA-extrahop_addon -collection TA_extrahop_oiddev
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 50GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.