ExtraHop Splunk Bundle

bundle

#1

###Bundle details and download
https://www.extrahop.com/bundles/gumby/extrahop-splunk/

###Description
For those interested in integrating ExtraHop with Splunk, we’ve created a toolkit for you to try out this integration.

Introductory Video (courtesy of Master SE, the illustrious Mr. Dan Greer)


#2

Any new functionality that’s not in the v 4.0 extrahop/splunk bundle? Aside from compatibility w/ 5, that is.


#3

Why would someone send data to splunk via extrahop? Is is possible to pull off an F5

X-Forward for the IP where they’re coming from and going to
EventTime for the time of the event
Request for the GET file GIF etc that they’re requesting
HTTPStatuscode self explanatory
Referer is the previous URL link
User Agent has the browser OS
Request Time for the duration of the request.
Host is the main URL


#4

I’m not familiar with everything that you can pull from an F5, but quite a few IT organizations that have both products deployed send ExtraHop events and metrics into Splunk because it’s simply a better way to get at some information than logs. The ExtraHop + Splunk datasheet provides an overview of the integration: https://assets.extrahop.com/migrated/uploads/2013/06/ExtraHop-and-Splunk-datasheet.pdf

We also have an ExtraHop for Splunk app that collects the following metrics:

  • Web metrics – Responses over time, average transaction response times, JSON, AJAX, and SOAP/XML payload, status codes with detail, and web traffic throughput
  • Web services metrics – External and internal API calls, events over time, top active account numbers, top active users, and other customizable metrics such as duplicate order IDs
  • Database metrics – All methods, queries, response times, transaction response times, errors, top methods, and top users
  • Storage metrics – Responses over time, average transaction response times, errors, top methods, and top users
  • Memcache metrics – Transactions over time, average access time, errors, message sizes, top response codes, top methods

#5

I made a couple of small tweaks to the ExtraHop Splunk Bundle to remove deprecated trigger code, updating with elements that should be valid for EDA firmware versions 5.2 - 7.1+.


#6

We’ve removed the accompanying app on Splunkbase. The new integration doesn’t require any bundle on the ExtraHop side. Instead, it uses a new Splunk add-on and app to pull metrics from the ExtraHop REST API. Read about the new integration here: https://www.extrahop.com/company/blog/2018/extrahop-app-for-splunk/

ExtraHop app: https://splunkbase.splunk.com/app/3939/
ExtraHop add-on: https://splunkbase.splunk.com/app/3938/