This bundle enables you to export data from your ExtraHop appliance and visualize that data in your Splunk interface.
- Sends HTTP events to Splunk
- Sends Memcache events to Splunk
- Helps send DB events to Splunk
- Sends DB events to Splunk
- Sends CIFS events to Splunk
Caution: Assigning all triggers at once to all of your servers might send a large volume of data to the Splunk interface. We recommend that you first assign these triggers to a single server and then add additional servers as needed.
- ExtraHop firmware version 5.2 or later
- Splunk version 6.3 or later
Note: This bundle is compatible with earlier versions of Splunk (4.3.5 or 5.0.1). However, the instructions and steps will vary in those earlier versions.
- Download the bundle on this page.
- Log into the ExtraHop Web UI and complete the following procedures, which are available in the ExtraHop Web UI Guide.
- Configure TCP settings on Splunk:
- Log into the Splunk interface.
- Click on Settings > Data Inputs > TCP.
- Click New
- Configure the port number for the traffic you will export your data over. Make a note of the port number for later.
- (Optional) Configure a source name that can override the default TCP source.
- (Optional) Configure an IP address or hostname to limit connections from.
Log into the ExtraHop Admin UI and complete the following procedure, which is available in the ExtraHop Admin UI Guide
- Configure Open Data Stream for Syslog
- Add the IP address of your Splunk interface and the TCP port number you configured earlier in this procedure.
Download the ExtraHop SplunkBase App.
Visualize your ExtraHop data through the integrated Splunk application.
Notes: * Be sure to assign the triggers to appropriate devices on your network. For example, the HTTP Events to Splunk trigger should be assigned to HTTP servers. * In an environment with an ExtraHop Command cluster, configure Open Data Stream for Syslog on each Discover node.