Start Demo

Send records from ExtraHop to Splunk

You can configure the ExtraHop system to send transaction-level records to a Splunk server for long-term storage, and then query those records from the ExtraHop Web UI and the ExtraHop REST API.

Before you begin

  • You must have version 7.0.3 or later of Splunk Enterprise and a user account that has administrator privileges.
  • You must configure the Splunk HTTP Event Collector before your Splunk server can receive ExtraHop records. See the Splunk HTTP Event Collector documentation for instructions.
Note:Any triggers configured to send records through commitRecord to an Explore appliance are automatically redirected to the Splunk server. No further configuration is required.

Send records from ExtraHop to Splunk

Complete this procedure on all connected ExtraHop systems.
Important:If your ExtraHop system includes a Command appliance, configure all appliances with the same recordstore settings or transfer management to manage settings from the Command appliance.
  1. Log in to the Administration page on the ExtraHop system through https://<extrahop-hostname-or-IP-address>/admin.
  2. In the Records section, click Recordstore.
  3. Select Enable Splunk as the recordstore.
    Note:If you are migrating to Splunk from a connected Explore appliance, you will no longer be able to access records stored on the Explore appliance.
  4. In the Record Ingest Target section, complete the following fields:

    Splunk Ingest Host: The hostname or IP address of your Splunk server.

    HTTP Event Collector Port: The port for the HTTP Event Collector to send records over.

    HTTP Event Collector Token: The authentication token you created in Splunk for the HTTP Event Collector.

  5. In the Record Query Target section, complete the following fields:

    Splunk Query Host: The hostname or IP address of your Splunk server.

    REST API Port: The port to send record queries over.

    Authentication Method: The authentication method, which depends on your version of Splunk.

    For Splunk versions later than 7.3.0, select Authenticate with token, and then type your token.

    For Splunk versions earlier than 7.3.0, select Authenticate with username and password, and then type your credentials.

  6. Clear the Require certificate verification checkbox if your connection does not require a valid SSL/TLS certificate.
    Note:Secure connections to the Splunk server can be verified through trusted certificates that you upload to the ExtraHop system.
  7. In the Index Name field, type the name of the Splunk index where you want to store records.
    The default index on Splunk is called main, however, we recommend that you create a separate index for your ExtraHop records, and type the name of that index.
  8. Click Test Connection to verify that the ExtraHop system can reach your Splunk server.
  9. Click Save.
After your configuration is complete, you can query for stored records in the ExtraHop Web UI by clicking Records from the top menu.

Transfer recordstore settings

If you have a Command appliance connected to your Discover appliances, you can configure and manage the recordstore settings on the Discover appliance, or transfer the management of the settings to the Command appliance. Transferring and managing the recordstore settings on the Command appliance enables you to keep the recordstore settings up to date across multiple Discover appliances.

Recordstore settings are configured for third-party or cloud-based recordstores and do not apply to the Explore appliance.
  1. Log in to the Administration page on the Discover appliance through https://<extrahop-hostname-or-IP-address>/admin.
  2. In the Records section, click Recordstore.
  3. From the Recordstore settings drop-down list, select the Command appliance and then click Transfer.
    If you later decide to manage the settings on the Discover appliance, select this Discover appliance from the Recordstore settings drop-down list and then click Transfer.
Published 2020-05-18 19:49