Application Performance Metric of the Month: HTTP Payload Details | ExtraHop

For our November performance metric of the month, we're looking at HTTP payloads. Hypertext Transfer Protocol (HTTP) is a tremendously important technology layer that supports many critical services. As the basis for web applications and services, HTTP traffic carries a rich trove of information that is important for monitoring application performance, gaining insight into business transactions, and understanding the end-user experience. However, much of this valuable information is unavailable to IT Operations teams with legacy toolsets.

Surgical Precision + Deep, Real-Time Analysis

The ExtraHop system applies recent advances in processing power and storage capacity to perform incredibly sophisticated real-time HTTP transaction analysis than has not been previously possible. In addition to monitoring status codes and methods for all HTTP transactions in real time, the ExtraHop system analyzes HTTP payloads, including structured transactional data passed over HTTP such as REST, JSON, AJAX, JavaScript, SOAP/XML, and HTML5. This depth of analysis enables IT teams to define new metrics based on details contained in the payload. To achieve these results, ExtraHop introduced its unique Application Inspection Triggers (AI Triggers) technology, a framework for real-time analysis based on scriptable event-processing at the application-protocol level.

And what about Splunk?

The resulting ability to target specific transactions based on payload characteristics makes ExtraHop an extremely valuable source of information for Splunk implementations. Although Splunk is a truly amazing platform for making sense of machine data, the output is only as good as the input it receives. With the ExtraHop system, IT teams can capture real-time events across tiers with surgical precision and then immediately send them to Splunk using rsyslog.

Extending the Boundaries of What's Possible

In the case of web transactions, IT teams can use the ExtraHop system to capture information in the HTTP payload that cannot be logged. This information can't be logged because web servers such as Apache and Microsoft IIS only log headers, URIs, and server processing time. These are important metrics but do not provide a true picture of performance.

Take, for example, web transactions with status code 200, which indicates that the server responded to a request. At face value, a stream of these status codes would indicate healthy performance.

Click the image to enlarge. The ExtraHop system enables IT teams to export specific metrics to Splunk.

However, by analyzing the titles of the pages returned by the server, we could see that many of these pages are "Sorry, page not found," "Sorry, page not available," or "Sorry, unexpected error." This is certainly not the same picture of health given by the status codes only! What's more, application delivery controllers can insert these types of pages en route so that there would be no way to capture these details on the web server itself.

Click the image to enlarge. The ExtraHop system can extract details in the header such as page titles that read "Sorry, unexpected error."

As interesting as the above scenario may be, it barely begins to plumb the depths of what the ExtraHop system is capable of uncovering. One customer used the ExtraHop system to identify duplicate orders in its payment processing web service with the combination of ExtraHop and Splunk. Akin to identifying a snowflake in an avalanche, this customer's problem would be nearly impossible to solve using traditional methods because of the sheer volume of data.

In this example, this customer's payment-processing web service used the XML format. The customer used the ExtraHop system to extract the user name, account number, merchant ID, and order ID from the HTTP payload.

Click the image to enlarge. In addition to header information, the ExtraHop system analyzes the full HTTP payload, including user names and order IDs used in payment processing.

With these transaction events exported to Splunk in real time, the customer could conclusively answer questions that they had pursued for months without resolution. In particular, they could identify that the system was in fact generating duplicate orders and they could also see which accounts were affected.

Click the image to enlarge. With surgical logging, IT teams can quickly answer questions about critical business transactions, such as duplicate orders.

Now that you've read the details, check out the video below to see a hands-on demo led by ExtraHop CEO Jesse Rothstein at Splunk .conf2012. Jesse explains the ExtraHop and Splunk integration and shows live examples of how this combination provides incredible IT operational intelligence.

What's the takeaway? With ExtraHop, now you can surgically export custom-defined, real-time metrics to Splunk, including details contained in the HTTP payload. Get started today with the Splunk for ExtraHop app, available for download on Splunkbase. If you download the app and like it, be sure to give us a rating on Splunkbase!

This is a companion discussion topic for the original entry at

This would be awesome if we documented how to create custom records in the Explore Appliance from the XML of web services…

1 Like