Why ExtraHop + Splunk Integration Matters

The new Splunk App for ExtraHop captures real-time metrics that are otherwise difficult or impossible to log.

Splunk, acquired by Cisco in September 2023, is well known for its powerful Big Data approach to log file analysis. IT Operations teams all over the world use Splunk. Enterprise software to free them from the drudgery of having to manually inspect server logs. With Splunk's solution, these IT Operations teams can more easily manage, visualize, and analyze massive amounts of machine data generated in their datacenter.

Operational intelligence from Splunk complements the real-time application performance monitoring from ExtraHop. Both ExtraHop and Splunk represent better ways of solving difficult challenges, including network detection and response (NDR). That's why Gartner listed both companies in their December 2011 APM Innovators report.

Read more about our network performance monitoring (NPM) solution here.

Adding Policy-Based and Precision Logging to Big Data Operational Intelligence

Many thought-leading ExtraHop customers, such as Concur Technologies, use ExtraHop and Splunk in conjunction. In these scenarios, the ExtraHop system provides proactive early warning and cross-tier correlation for monitoring and troubleshooting application performance issues, while Splunk provides the historical analysis, trending, and reporting for the infrastructure, including security incident analysis.

Following the suggestions of our joint customers, ExtraHop and Splunk collaborated to integrate our products. The new Splunk App for ExtraHop enables IT teams to record important real-time information and metrics in Splunk that would otherwise be difficult or impossible to log.

Network health and performance metrics.

IT teams can use the ExtraHop system to capture holistic TCP metrics—spanning both the applications and network—that are timely and relevant for real-time troubleshooting. Without this precision logging, Splunk users are dependent on the quality and scale of logging provided by network device vendors.

Web servers

With the ExtraHop system, IT teams gain visibility into HTTP/S payloads without having to change the application code and can correlate web tier performance with network behaviors, a crucial aspect of network performance monitoring (NPM). Application payload information cannot be logged, and only ExtraHop can extract elements like Order ID, Merchant ID, Title, and Transaction ID and forward that on to Splunk with no performance impact. This approach also provides visibility into related infrastructure components, such as application delivery controllers and caches that can obscure web server performance, thereby enhancing security and NPM.

Application servers

The ExtraHop system helps IT teams avoid problems with inconsistent and inflexible logging options available on application servers including Apache Tomcat, ASP.NET, and Ruby on Rails. Obtaining the right log data normally requires scripted inputs using JMS/JMX. In contrast, ExtraHop sends precise application server metrics, as well as payload information, to Splunk that take network performance into account as well, contributing to NPM and security analytics.

Database servers

The ExtraHop system deploys non-intrusively and imposes zero overhead. In contrast, turning on database profiling to obtain log data adds too much overhead for that method to be used in production. Running an SQL trace added 19% and 147% overhead for two example workloads, respectively, according to an MSDN paper on Microsoft SQL Server 2008 auditing, highlighting the importance of NPM and security in database operations.​​​​​

Depending on the workload, running an SQL trace to gather database server log data can add significant overhead.

• Storage devices. With the ExtraHop system, IT teams gain access to real-time storage performance metrics, including details that are difficult or impossible to derive from logs or storage APIs, such as file access times for specific clients. This is crucial for both network performance monitoring and security incident detection.
• Transaction metrics. Perhaps most importantly, the ExtraHop system correlates health and performance metrics from discrete components in the application delivery chain to determine end-to-end response times, cross-tier metrics, and end-user metrics. This provides invaluable insights for both NPM and security analytics.

The ExtraHop system correlates performance metrics from throughout theapplication delivery chain to provide application response time metrics.

The Splunk App for ExtraHop is now available for download from Splunkbase. This 3-minute video demonstrates how the integration between ExtraHop and Splunk works. If you use Splunk Enterprise in your environment and would like to add real-time application performance monitoring and troubleshooting capabilities, contact us today. Want to learn more? Try our free, interactive online demo.