Adding data out side extrahop


#1

I have heard that extra data outside extra hop can be added. Is there any documentation to tell how this works and how I can query /use it?
I have searched and can’t find any information.


#2

There are two main ways I can think of to accomplish this.

The first way would be to grab the data off the wire (assuming it is there to begin with), process it in a trigger, and create custom metrics the way you would any other metrics out there.

The second way would be to use the Open Data Context API. As per the setup page for it: The Open Data Context API allows external access to the global session table. Clients can store and retrieve key-value pairs using the memcache protocol.

You can use a memcache client to insert whatever data you need into the session table, then pull it out inside of a trigger event, process it, and again write some custom metrics to the datastore.

I’m not sure if I’ve seen any documentation on this, but it is pretty straight forward.

  1. Turn on the Open Data Context API Settings in the admin section of the extrahop EDA at Admin › Capture › Open Data Context API Settings

  2. Setup a memcache client. I’ve used this python client.

  3. Send the desired data to the extrahop by providing a key, value pair. For my python example i do this with the following two lines:

    client = Client((EDA_IP, memcache_port))
    client.set(“some_key”, “some_value”)

  4. In a trigger lookup the value you’ve stored and commit the appropriate metrics. This might look something like the following, though there is an endless number of ways it could be done.

    var key_lookup = Session.lookup(“some_key”);
    Application(“My App”).metricAddDataset(“my_custom_metric”, key_lookup);

  5. You can then plot this custom metric along with other metrics.

Hopefully that helps point you in the right direction.