Splunk ODS over HTTP(S) Instructions

Using an ExtraHop Open Data Stream (ODS) to Send RAW data to Splunk

ODS Configuration:
Note an ODS can only be configured on ExtraHop Discovery Appliances.

Post Options: Configure Test Post

{
“path”: “/services/collector/raw?channel=insertchannelnumber”,
“headers”: {
“Content-Type”: [
“application/json”
]
},
“payload”: {
“time”: 1556132710,
“event”: {
“message”: “Testing ExtraHop ODS”,
“severity”: “INFO”
},
“index”: “app”,
“source”: “Extrahop”,
“sourcetype”: “_json”
}
}

  1. Log into the Admin UI on the ExtraHop Discover appliance.

  2. In the System Configuration section, click Open Data Streams.

  3. Click Add Target.

  4. From the Target Type drop-down menu, select HTTP.

  5. Name: Example: PROD-ODS-EH-SPLUNK

  6. In the Host field, type the hostname or IP address of the remote HTTP collector.

  7. In the Port field, type the port number of the remote HTTP collector.

  8. From the Type drop-down menu, select one of the following protocols: HTTP or HTTPS

  9. Select Pipeline Requests to enable HTTP pipelining, which can improve throughput speed.

  10. In the Additional HTTP Header field add the Splunk Token: Authorization: Splunk XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX

  11. Leave Authentication to None

  12. Select POST

  13. Options: Reference the Test Configuration Image

  14. Click Test

  15. Click Save

Next Steps:

Create a trigger that specifies what HTTP message data to send and initiates the transmission of data to the target. For more information, see the Remote.HTTP class in the ExtraHop Trigger API Reference.