Web UI Guide

About this guide

This guide provides information about the web-based user interface (Web UI) for the ExtraHop Discover and Command appliances.

The purpose of this guide is to help users understand the ExtraHop system architecture and functionality as well as learn how to operate the controls, fields, and options available throughout the Web UI.

Additional resources are available through the following links:

Introduction to the ExtraHop system

The ExtraHop system helps you monitor network activity and all of your applications. For example, you can learn how well applications are consuming network resources, how systems and devices are communicating with each other, and how to identify transactions that are flowing across the data link layer (L2) up to application layer (L7) in your network.

This guide explains how the ExtraHop system functions so that you can understand how your data is collected and analyzed. We also provide a list of learning resources and some activities to get you started.

ExtraHop platform architecture

The ExtraHop platform comprises a suite of appliances—Discover, Explore, Trace, and Command—that are designed to passively monitor the network traffic in your environment in real time. Each appliance provides you with different types of information about your network, which you can analyze to determine where problems in your network might be developing.

ExtraHop Discover appliance

The ExtraHop Discover appliance (EDA) provides top-level and detailed metrics about transactions and traffic between devices. The Discover appliance includes tools to analyze and visualize all of your network, application, client, infrastructure, and business data.

The Discover appliance passively collects unstructured wire data—all of the transactions on your network—and transforms this data into structured wire data.

Discover appliances are provisioned with storage to support 30 days of metric lookback. Note that actual lookback varies from appliance to appliance, depending on traffic patterns, transaction rates, and the number of active protocols.

Deploy a single Discover appliance, either physical or virtual, anywhere in your network environment.

ExtraHop Explore appliance

The ExtraHop Explore appliance (EXA) integrates with the ExtraHop Discover appliance to store transaction and flow records sent from the Discover appliance. You can see, save, and search the structured flow and transaction information about events on your network with a simple, unified UI, with no modifications to your existing applications or infrastructure. Deploy a cluster of three or more Explore appliances to take advantage of data redundancy and performance improvements.

ExtraHop Trace appliance

The ExtraHop Trace appliance (ETA) continuously collects network packets and integrates with the ExtraHop Discover and Command appliances. You can quickly retrieve all packets that match a set of search criteria within a given time interval. You can then download the packet capture file for further inspection in a packet analyzer, such as Wireshark.

Deploy a Trace appliance when you need access to more than the summary data collected by the Discover appliance.

ExtraHop Command appliance

The ExtraHop Command appliance (ECA) provides centralized management and reporting across multiple ExtraHop Discover, Explore, and Trace appliances that are distributed across data centers, branch offices, and the public cloud.

You can pair an Explore appliance or cluster to multiple Discover appliances, and then query the records stored by each Discover appliance from the Command appliance.

When you add a Trace appliance, you can search, download, and analyze the collected packets to gain further insight about the information flowing across your network.

For most large ExtraHop deployments, a dedicated Command appliance is the most efficient way to manage all of your remote appliances.

Data sources in the ExtraHop system

The ExtraHop Discover appliance collects data and generates metrics from two types of data sources: wire data and machine data, such as flow data.

Wire data

Wire data is observed in real time, which provides information about what’s happening on your network. With wire data, the ExtraHop system passively collects a copy of unstructured packets through a port mirror or tap and stores the data in the appliance datastore. The copied data goes through real-time stream processing, which transforms the packets into structured wire data through the following stages:

  1. TCP state machines are recreated to perform full-stream reassembly.
  2. Packets are constructed into flows.
  3. The structured data is analyzed and processed in the following ways:
    1. Transactions are identified
    2. Devices are automatically discovered by MAC and IP address and then classified by their activity.
    3. Metrics are generated and associated with protocols and sources, and the metric data is then aggregated into metric cycles.
  4. As new metrics are generated and stored, and the datastore becomes full, the oldest existing metrics are overwritten according to the first-in first-out (FIFO) principle.

Flow data

Flow data, a type of machine data, can also be collected from a network device and sent to the Discover appliance for analysis or storage. Flow data is an alternative option if wire data cannot be collected from a remote network.

A flow is a set of packets that are part of a single transaction between two endpoints. Similar to how the ExtraHop system can identify flows from wire data, flows from machine data on remote networks can be sent to a Discover appliance for analysis. Flows are identified through their unique combination of IP protocol (TCP/UDP), source and destination IP addresses, and source and destination ports.

The ExtraHop system supports the following types of flow data:
NetFlow v5
The Cisco proprietary protocol that defines a flow as a unidirectional flow of packets all sharing the following values: Ingress interface, source and destination IP address, IP protocol, source and destination ports, and the type of service. NetFlow v5 has a fixed record format with 20 fields and cannot be customized.
NetFlow v9
An adapted version of NetFlow v5 where the record format is template based. NetFlow v9 has 60+ fields in the records and can be customized. In the Discover appliance, these records are only partially parsed until the template packet is detected.
IPFIX
An open standard based on the NetFlow v9 standard. ExtraHop supports only the native format; formats where the Enterprise bit is set outside of a trigger is not supported.
AppFlow
The Citrix implementation of IPFIX with customized extensions to include application-level information such as HTTP URLs, HTTP request methods, status codes, and so on.
sFlow
A sampling technology for monitoring traffic in data networks. sFlow samples every nth packet and sends it to the collector whereas NetFlow sends data from every flow to the collector. The primary difference between sFlow and NetFlow is that sFlow is network layer independent and can sample anything. NetFlow v5 is IP based, but v9 and IPFIX can also look at Layer 2.

The Discover appliance enables you to add any of the above flow data sources. You can then view metrics for flow networks (a network device that sends information about flows seen across the device) and their interfaces.

With the Discover appliance working as a flow collector and analyzer, you can collect the flow network traffic through the following stages:
  1. Flow exporters detect and format traffic, caching information about the flow, including source and destination IP addresses, port, IP protocol, and number of bytes and packets.
  2. The flow exporter sends the cached information from the flow network to the Discover appliance, which acts as a collector and analyzer for the flow data.
  3. The flow network traffic is analyzed, flows are identified, and metrics are aggregated for the total number of bytes and total number of packets in each flow.

For example, when a client initiates a request to a server, the packet is sent to the router, which directs the packet to the destination server through the network topology. If that router is configured to be a flow network exporter, information about the flow is then formatted and sent to the Discover appliance for analysis.

By analyzing flows of network traffic, such as NetFlow traffic, an administrator can identify the top network flows (most bytes consumed), top network talkers (highest throughput), total number of bytes, and the total number of packets per router interface.

Device discovery

The ExtraHop system automatically discovers devices based on what is happening on the network. There are two device discovery modes: layer 2 (L2) discovery and layer 3 (L3) discovery. The default discovery mode is L3 discovery.

In L2 discovery, a device entry is added for every locally observed MAC address over the wire. All IP addresses associated with a MAC address are aggregated into one device.

In L3 discovery, a device entry is added for every locally observed IP address over the wire that meets the following criteria:
  • A device responds to an Address Resolution Protocol (ARP) request for the IP address, allowing the ExtraHop appliance to associate the IP address with an MAC address.
  • The associated MAC address is not the MAC address of an L3-routing device.

In addition to creating L3 devices, the Discover appliance also creates an L2 device for each unique MAC address. If the MAC address and IP address are associated with the same device, the Discover appliance links the parent L2 device and the child L3 device. The IP address and MAC address for a device are displayed in the overview section on the Device page in the Metrics section of the Web UI.

The following characteristics apply to L2 devices created by L3 device discovery mode:
  • L2 metrics that cannot be associated with a particular child L3 device (for example, L2 broadcast traffic) are associated with the parent L2 device.
  • In the device list view in the Metrics section of the Web UI, you can filter the full device list for L2 devices only, L3 devices only, or both types of devices.
  • L2 devices that exist solely as parents to L3 child devices do not count against licensed device count limits.
  • L2 devices are exempt from the device count and whitelist, because the ExtraHop system only collect L2 and L3 protocol metrics for these types of devices.

For more information, see Device Discovery FAQ.

Device names and roles

After a device is discovered, the ExtraHop system tracks all of the wire data traffic associated with the device. The ExtraHop system discovers device names by passively monitoring naming protocols, including DNS, DHCP, NETBIOS, and Cisco Discovery Protocol (CDP). A device can be identified by multiple names, which are all searchable. If a name is not discovered through a naming protocol, the default name is derived from device attributes (MAC address for L2 devices and the IP address for L3 devices). You can also create a custom name for a device.

Note:If a device name does not include a hostname, the ExtraHop system has not yet observed naming protocol traffic associated with that device. The ExtraHop system does not perform DNS lookups for device names.

Based on the type of traffic associated with the device, the ExtraHop system assigns a role to the device, such as a gateway, file server, database, or load balancer. You can change or add a role to a device.

Remote device discovery and custom devices

The ExtraHop system automatically discovers local L3 devices based on observed ARP traffic that is associated with IP addresses. By default, all IP addresses that are observed outside of locally-monitored broadcast domains are aggregated at one of the incoming routers in your network. To identify and learn about individual devices outside of these routers, which are beyond your local network, you can create custom devices and enable reporting on these devices. For example, you can create a single device encompassing several known IP addresses for a remote site or cloud service.

Note:If you have a proxy ARP configured in your network, the ExtraHop system might automatically discover remote devices. For more information, see this ExtraHop forum post.
To identify and learn about individual devices located outside of local routers beyond your local network, complete one of the following options:
  • Configure remote discovery in the ExtraHop Admin UI to discover L3 devices for a range of IP addresses that are not on the local network.
  • Create a custom device to collect metrics for a remote IP address or a range of IP addresses into one device. For example, you can create a single device that collects metrics for several known IP addresses that belong to remote sites or cloud services.

Software frame deduplication

The ExtraHop system removes duplicate L2 and L3 frames and packets when metrics are collected and aggregated from your network activity by default. L2 deduplication removes identical Ethernet frames (where the Ethernet header and the entire IP packet must match); L3 deduplication removes TCP or UDP packets with identical IP ID fields on the same flow(where only the IP packet must match).

The ExtraHop system checks for duplicates and removes only the immediately-previous packet both on the flow (for L3 deduplication) or globally (for L2 deduplication) if the duplicate arrives within 1 millisecond of the original packet.

By default, the same packet traversing different VLANs is removed by L3 deduplication. In addition, packets must have the same length and the same IP ID, and TCP packets also must have the same TCP checksum.

L2 duplication usually only exists if the exact same packet is seen through the data feed, which is typically related to an issue with port mirroring. L3 duplication is often the result of mirroring the same traffic across multiple interfaces of the same router, which can show up as extraneous TCP retransmissions in the ExtraHop system.

The System Health page in the ExtraHop Web UI contains charts that display L2 and L3 duplicate packets that were removed by the ExtraHop system. Deduplication works across 10Gbps ports by default and across 1Gbps ports if software RSS is enabled. L3 deduplication currently is supported only for IPv4, not IPv6.

Introduction to the ExtraHop Web UI

The ExtraHop Discover and Command appliances provide access to network activity data through a dynamic and highly customizable Web UI.

This guide provides an overview of the global navigation and controls, fields, and options available throughout the UI.

Supported browsers for the ExtraHop Web UI

The following browsers are compatible with all ExtraHop appliances.

  • Firefox
  • Google Chrome
  • Internet Explorer 11
  • Safari

You must allow cookies and ensure that Adobe Flash Player is installed and enabled. Visit the Adobe website to confirm that Flash Player is installed and up-to-date.

Global navigation elements located at the top of the page contain links to the main sections of the Web UI. Within each section, the left pane contains links to specific pages or data.

The following figure shows both global and left pane navigation elements.



The following figure shows an example of how the left pane navigation changes based on the section you are viewing.



Here are definitions of each global navigation element:

Dashboards
Click Dashboards to view, create, or share dashboards for monitoring any aspect of your network or applications. System dashboards give you an instant view of the activity on your network. You can also create and share custom dashboards with other users.
Alerts
Click Alerts to view alert history, which displays information about each alert generated during the time interval. If your Discover appliance is connected to the Addy service, you can also view detected anomalies from your wire data.
Metrics
Click Metrics to find any application, network, or device discovered by the ExtraHop system and view their protocol metrics.
Records (Optional)
If you have an Explore appliance, the top level navigation shows the Records menu. Click Records to query for all records stored on the Explore appliance for the current time interval. Records are structured information about transactions, messages, and network flows.
Packets (Optional)
If you have a Trace appliance, the top level navigation shows the Packets menu. Click Packets to query for all packets stored on the Trace appliance for the current time interval.
Global search field
Type the name of any device hostname or IP address, application, or network to find a match on your Discover or Command appliance. If you have a connected ExtraHop Explore appliance, you can search for saved records. If you have a connected Trace appliance, you can search for packets.
Community forum icon
Visit the ExtraHop forum within a new browser tab to ask a product or bundle question.
Help icon
See help information for the page that you are currently viewing. To access the most current and comprehensive set of ExtraHop documentation, visit the ExtraHop Documentation website.
System Settings icon
Access system configuration options, such as Triggers, Alerts, Reports, and Custom Devices.
User option icon
Log in and log out of your Discover appliance or Command appliance, change your password, and access API options.
Pane toggle
Collapse or expand the left pane.
Global Time Selector
Change the time interval to view application and network activity that was observed by the ExtraHop system for a specific time period. The global time interval is applied to all metrics across the ExtraHop Web UI and does not change as you navigate to different pages.
Recent pages
See a list of the most recent pages you visited in a drop-down menu and make a selection to go back to a previous page. Repeated pages are deduplicated and condensed to save space.
Navigation path
View where you are in the system and click a page name to access a drop-down menu of pivot points, which let you access other protocols or sources.
Command menu drop-down
Click to access specific actions for the page you are viewing. For example, when you click Dashboards at the top of the page, the command menu provides actions for changing dashboard properties or creating a new dashboard.

Start analyzing data

Begin your data analysis journey with the ExtraHop system by following the basic workflows listed below. As you become familiar with the ExtraHop system, you can complete more advanced tasks, such as installing bundles and building triggers.

Here are some basic ways to navigate and work with the ExtraHop Web UI to analyze network activity.

Monitor metrics and investigate interesting data

When you first log into the ExtraHop system, you see the Activity dashboard. This dashboard is a good starting point because it shows you a summary of important metrics about application performance on your network. When you see a spike in traffic, errors, or server processing time, you can interact with dashboard data to drill down and identify which clients, servers, methods, or other factors contributed to the unusual activity.

You can then continue performance monitoring or troubleshooting by creating a custom dashboard to track a set of interesting metrics and devices.

Search for a specific device and investigate related metrics and transactions

If you want to investigate a slow server, you can search for the server in the ExtraHop system by device name or IP address and then investigate the server's activity on a protocol page. Was there a spike in response errors or requests? Was server processing time too high or did network latency affect the rate of data transfer? Click on different protocols in the left pane to investigate more metric data collected by the ExtraHop system. Drill down by peer IP addresses to see which clients or applications the server talked to.

To share protocol data with other teams, you can create a report.

If you have an Explore appliance, you can investigate entire transactions that the server participated in by creating a record query.

Get visibility into changes to your network by searching for protocol activity

You can get a top-down view of your network by looking at activity groups. An activity group is a collection of devices automatically grouped together by the ExtraHop system based on the protocol traffic observed over the wire. For example, you can find new or decommissioned servers that are actively communicating over a protocol. For more information, see Search for devices by protocol activity.

If you find a collection of devices that you want to continue monitoring, you can add a device tag or custom device name to make those devices easier to find in the ExtraHop system. You can also create a custom device group or a custom dashboard to monitor device group activity.

Advanced workflows for customizing your ExtraHop system

After becoming familiar with basic Web UI workflows, you can customize your ExtraHop system by setting up alert notifications, creating custom metrics, or installing bundles.

Set up alerts
Configure threshold and trend-based alerts that notify you when there is a potential issue with a network device. For more information, see Configure threshold alert settings and Configure trend alert settings.
Install a bundle to enhance ExtraHop features and integrations
Bundles are a saved set of system configurations that can be uploaded to an ExtraHop appliance. Check out the following popular bundles:

Apply a bundle to your ExtraHop system, or create a bundle to share with others. For more information, see Bundles concepts.

Build a trigger to create custom metrics and applications
Triggers are custom scripts that perform an action upon a pre-defined event. Triggers require planning to make sure a trigger doesn’t negatively impact system performance. For more information, see Triggers concepts.

Access keyboard shortcuts

Keyboard shortcuts help you quickly navigate across the ExtraHop Web UI and manage dashboards with a few keystrokes.

  1. Log into the Web UI on the Discover or Command appliance.
  2. Type one of the following keyboard combinations:
    Keyboard combinations Action
    ? Show or hide a hot key help menu
    G then S Go to Dashboard
    G then A Go to Alerts
    G then P Go to Application Metrics
    G then N Go to Network Metrics
    G then D Go to Device Metrics
    G then G Go to Group Metrics
    / Global Search
    O then M Open Metric Explorer
    G then E Go to Settings
    G then T Go to Trigger Editor
    G then H Open Help
    O then Q View system information
    Ctrl+S Save widget configuration

Manage dashboards with keyboard shortcuts

The following keyboard shortcuts only apply to dashboards.

  1. Log into the Web UI on the Discover or Command appliance and then click .Dashboards at the top of the page.
  2. Type one of the following keyboard combinations:
    Keyboard combinations Action
    O then L Toggle edit layout mode
    O then P Show dashboard properties
    C then D Copy the current dashboard
    D then D Delete the current dashboard
    O then S Toggle descriptions
    Ctrl+Up Arrow+F Toggle presentation mode
    N then D Create a new dashboard
    N then F Create a new folder
    O then D Toggle dock edit mode

Dashboards concepts

Dashboards are an effective tool for monitoring high-priority network traffic or troubleshooting an issue. You can monitor general information about your network from built-in system dashboards, or build a custom dashboard to create a personalized view of metrics that are important to you.

A dashboard is an HTML page that displays real-time and historic metric data. Dashboards consolidate multiple metrics into a central location where you can investigate and share data. In this guide, you will learn about dashboard features and find links to dashboard resources and procedures.

Before you begin:

Here are some definitions you should know about dashboards in the ExtraHop system:

Dashboard dock
The left pane of the dashboard page, which provides access to all of your dashboards. Dashboards are organized within menus and folders.
Region
A compartment within the dashboard layout that contains widgets.
Widget
A configurable component for displaying metric data and information. Charts are the most common widget found in dashboards.
Time Selector
A tool that changes the time interval for the entire dashboard. You can also change the time interval for a specific region within the dashboard.

Interact with dashboard data

A dashboard is a launching point into data analysis and troubleshooting. When you observe a metric value that raises questions, a dashboard provides the following options for interacting with metric data and finding answers.

Change the time interval
Observe how data changes over time in the following ways:
Interact with chart data
A dashboard chart is a dynamic, interactive visualization of data. As you troubleshoot or analyze data, you can interact with chart data in several ways, as shown in the figures below.

Note:Copy or create a chart, and then edit the chart in Metric Explorer. When you copy or create a chart from a system dashboard or shared dashboard that you do not own, you must save the edited chart to your own custom dashboard.

Monitor your network with system dashboards

When you first log into the Discover or Command appliance, you see the Activity dashboard. ExtraHop users have access to the Activity dashboard and the Network dashboard, which are known as system dashboards.

System dashboards give you different types of insights into the general behavior and health of your network:

Activity dashboard
Find top-talkers by application (L7) protocols and view recent alerts. For more information about charts in this dashboard, see Activity dashboard.
Network dashboard
Identify traffic latency and bottlenecks over the data link (L2), network (L3), and transport (L4) layers. For more information about charts in this dashboard, see Network dashboard.

If you see interesting data in a system dashboard chart, you can investigate further.

Monitor your network with custom or shared dashboards

If you want to monitor specific metrics or custom metrics, you can create a custom dashboard. Custom dashboards are stored separately for each user that accesses the ExtraHop Discover appliance. After you build a custom dashboard, you can share it with other ExtraHop users.

Working with custom dashboards

There are two ways to create your own dashboard: New dashboards are in placed in Edit Layout mode, which enables you to add, arrange, and delete components within the dashboard. After creating a dashboard, you can complete the following tasks:

Custom dashboards are located in the My Dashboard folder in the dashboard dock. To make changes to your dashboard at any time, click the command menu in the upper right corner of the page and select Edit Layout or Dashboard Properties.

To delete a dashboard, click the command menu in the upper right corner of the page, and then select Delete. Or edit the dashboard dock and select the trash icon next to the dashboard name and then click Delete Dashboard.

Important:You cannot recover a deleted dashboard. If a dashboard owner's account is deleted from the ExtraHop system, all the custom dashboards associated with the user account are also deleted. To preserve dashboards, make a copy before the account is deleted.

Working with shared dashboards

Dashboards that have been shared with you are located in the Dashboard Inbox folder in the dashboard dock. You can organize your shared and custom dashboards, interact with dashboard data, or print dashboard data.

You cannot modify another user's dashboard , unless the dashboard owner grants you edit access. However, you can make a copy of a shared dashboard and then customize it.

To remove a shared dashboard from your dashboard dock, click the command menu in the lower right corner of the dashboard dock and then select Edit Dock. Click the trash icon next to the dashboard and then click Delete Dashboard.
Note:Only a dashboard owner can delete a dashboard.

Export and share dashboard data

You can export dashboard data to a CSV, Excel, or PDF file. You can export and share data by individual chart or by the entire dashboard.

To export chart data, click the chart title and make a selection from the drop-down menu. To export or share the entire dashboard, click the command menu in the upper right corner of the page to access the following options:

Check out the following resources that are designed to familiarize new users with building dashboards.

Create a dashboard

Dashboards provide a single location for important metrics that you care about. When you create a custom dashboard, a dashboard layout opens containing a single region with an empty chart widget and an empty text box widget. Edit a chart to incorporate real-time metrics into your dashboard, and edit a text box to provide information. Finally adjust the layout and add more widgets to complete your dashboard and begin monitoring your network.

Before you begin

Determine which metrics you want to monitor on your dashboard. Ask yourself the following questions:
  • Do I want to track if my server is offline or unavailable? Add availability metrics such as requests and responses to your dashboard charts.
  • Is my server functioning properly? Add reliability metrics such as errors to your dashboard charts.
  • Is my server properly resourced? Add performance metrics such as server processing time to your dashboard charts.

Create the dashboard layout

The following steps show you how to create the framework for your dashboard, which includes two empty widget types: a chart and a text box. Your new dashboard opens in Edit Layout mode (which is displayed in the upper right corner). Edit Layout mode enables you to quickly edit your chart and text box, and arrange the placement of widgets and regions on a dashboard.

  1. Log into the Web UI on the Discover or Command appliance and click Dashboards at the top of the page.
  2. On the Dashboards page, complete one of the following steps:
    • Click Create Dashboard at the bottom of the dashboard dock (from the bottom of the left pane).
    • Click the command menu in the upper right corner of the page and select Create Dashboard.
  3. In the Dashboard Properties window, type a name for your dashboard.
  4. Enter any other meta data for your dashboard, such as a name for the author or a description. Note that the Permalink provides a direct URL to your dashboard for any users who have sharing privileges for your dashboard.
  5. Click Create.

Edit a basic chart

The following steps show the general flow for editing a chart widget in the Metric Explorer tool. Begin by specifying sources and metrics to add data to your chart. For example, you can now add the availability, reliability, or performance metrics that you considered at the beginning of this procedure to your dashboard. Then choose a chart type to visualize the data.

  1. Click the chart to launch the Metric Explorer.
  2. Click Add Source.
  3. In the source search field, type the name of a source and then select the source from the search results.
  4. In the metric search field, type the protocol and metric name and then select the metric you want to add to the chart from the search results. For example, to monitor the reliability of web transactions, type HTTP errors and then select HTTP Errors from the search results.
  5. Select a chart type from the bottom of the Metric Explorer. Some charts might not be compatible with your selected metrics. For example, the heatmap chart can only display dataset metric data, such as server processing time. For more information about charts and compatible metrics, see Chart types.
  6. Optional: Select a drill down key to view detail metrics. Click Drill down by <None>, where <None> is the name of the detail metric key currently displayed in your chart. You can view up to 20 top key values in a chart for a specific time interval.
  7. Click Save.

Next steps

Edit a basic text box widget

The following steps show you how to display custom text in a dashboard region, which is a helpful tool for adding notes about a chart or data in a dashboard. The text box widget supports the Markdown syntax. A new text box widget contains sample text that is already formatted in Markdown to provide you with basic examples.

  1. Click the text box.
  2. Type and edit text in the left Editor pane. The HTML output text dynamically displays in the right Preview pane. For more formatting examples, see Format text in Markdown.
  3. Click Save.

Add more widgets and regions to your dashboard

Add and arrange the placement of regions and widgets on your dashboards.

  1. Click-and-drag dashboard components, such as a region or widgets, from the bottom of the page onto the workspace.
  2. To arrange dashboard components, click-and-drag the edge of a region or widget to resize them. If dashboard components overlap, they will be outlined in red. You must click and drag the sides of the widgets and regions to make room.
  3. Optional: Click Remove Extra Space to remove the empty vertical white space around widgets. Empty vertical white space will be removed from every region on the dashboard.
  4. After making your changes, click Exit Layout Mode.
    Note:If an error message appears, another user might be making changes. It is best practice for each ExtraHop user to have an individual account.

Next steps

Now that your dashboard is complete, you can perform the following steps:

Chart editing tips

The following tips help you search for and select metrics when building a chart.

  • Filter search results to a specific source type or protocol by clicking Any Type or Any Protocol underneath the search fields.
  • You can only select the same source type that is currently in your metric set. A metric set contains one source type and metrics. For example, if you select the All Activity application as the source, you can only add more applications to that metric set. Add more sources of the same type to your chart by clicking Add Application, Add Device, Add Group, or Add Network. To include a different source type in your chart, click Add Source to start a new metric set.
  • Create an ad hoc group of more than one source in your chart by selecting Combine Sources. For example, you can combine two applications and then view a single metric value in the chart for both of these applications.
  • If you select a device group as your source, you can Drill down by Group Member to display individual metrics for up to 20 of the devices within the group.

Copy a dashboard

If you want to duplicate a useful dashboard, you can copy a dashboard and then replace or modify sources to display different application, device, or network data. You can only copy one dashboard at a time. You cannot drag a dashboard to a folder to copy it.

  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Select a dashboard that you want to copy.
  3. Click the command menu in the upper right corner of the dashboard page.
  4. Click Copy and complete one of the following steps:
    • Click Keep Sources to maintain the original data configurations in the new dashboard.
    • Click Modify Sources, which helps you to immediately update every region, chart, and widget within the copied dashboard with another source, and then complete the following steps:
      1. In the right pane of the Modify Sources window, click a source name. A search field opens.
      2. Type the name of a new source and then select the source from the drop-down list. Repeat this step if the dashboard contains more than one source that you want to replace.
      3. Click Create Dashboard.
    A copied dashboard with a modified version of the original title is created.
  5. To rename the copied dashboard, complete the following steps:
    1. Click the command menu in the upper right corner and the page.
    2. Select Dashboard Properties.
    3. In the Title field, type a new name.
    4. Click Save.
    Tip:To quickly copy a dashboard, type the keyboard shortcut CD and then update Dashboard Properties or modify sources.

Edit a dashboard layout

Place your dashboard into Edit Layout mode to add, delete, or rearrange the widgets and regions on your dashboard layout. You can only add or delete widgets or regions when the dashboard is in Edit Layout mode.

When you create a new dashboard, the dashboard is automatically placed into Edit Layout Mode. To edit the layout of an existing dashboard, complete the following steps:

  1. Log into the Web UI on the Discover or Command appliance and click Dashboards at the top of the page.
  2. Select a dashboard that you want to edit.
  3. Click the command menu in the upper right corner of the page, and then select Edit Layout.
  4. In Edit Layout mode, select from the following options:
    Add widgets and regions

    Click-and-drag a widget or region from the bottom of the page and place it onto the dashboard.

    Widgets are configurable dashboard components that provide the following functions:
    • Chart: add metrics and select chart types to visualize data
    • Text box: add explanations, links, and images to your dashboard
    • Alert history: scan up to 40 recent alerts, sorted by severity
    • Activity group: monitor devices that are grouped together automatically by protocol activity in the ExtraHop system

    Regions contain and logically group widgets together. Click-and-drag widgets into a region. The width of a region can include a maximum of six widgets. The length of a region and dashboard is unlimited.

    Delete widgets and regions
    To delete a region, click Delete in the region header. To delete a widget, click the title and then select Delete from the drop-down menu.
    Arrange the placement of widgets and regions

    Click the header of a region or widget to drag them into a different location. Click and drag the edge of a region or widget to resize them.

    If dashboard components overlap, they will be outlined in red. You must click and drag the sides of the widgets and regions to make room.

  5. Optional: Click Remove Extra Space to remove the empty vertical white space around widgets. Empty vertical white space will be removed from every region on the dashboard.
  6. Click Exit Layout Mode in the upper right corner of the page to save your changes.
    Note:If an error message appears, another user might be making changes. It is best practice for each ExtraHop user to have an individual account.

Edit a chart with the Metric Explorer

The Metric Explorer is a tool for creating and editing charts, which lets you construct dynamic visualizations of device and network behavior.

Create and edit a basic chart

With the Metric Explorer, you can edit sources, metrics, and data calculations, and then preview how metric data appears in different charts. When you are satisfied with your selections, save your chart to a dashboard.

The following steps show you the basic workflow and minimum requirements for completing a new chart.

  1. Click Add Source and then type the name of an application, device, or network.
  2. Select the source from the list of results.
  3. In the Metrics field, type a protocol and metric name. Then select the metric from the list of results, as shown in the following figure.
  4. Select a chart from the bottom of the Metric Explorer, as shown in the following figure.
  5. Optional: Click the drop-down link below the metric name to display a count or rate or percentile.
  6. Complete one of the following steps:
    • Click Save when creating or editing a chart from a dashboard. Your dashboard is updated with your basic chart.
    • Click Add to Dashboard when creating or editing a chart from a protocol page. Then select an existing dashboard from the list, or select Create Dashboard.

Configure advanced options for data analysis and chart customization

Depending on the metrics and chart type you select, you can configure advanced options for creating sophisticated visualizations with the Metric Explorer, as shown in the following figure.

Drill down on metric data and sources to display details
In the Details section from the Metrics tab, you can drill down to display detail metrics or drill down on a device group to display individual devices within the chart.
Add a baseline or threshold line from the Analysis tab
You add a dynamic baseline (trendline) or static threshold line to your chart. Baselines are calculated after the chart is saved. To see a line that represents a threshold, such as an service level agreement (SLA) value, add a static threshold line to your chart.
Rename legend labels and the chart title
For charts that display a legend, you can change a metric name in the chart legend with a custom label. In the Metric Explorer, click the label in the preview pane then select Rename. To rename a chart, click the chart title and select Rename.
Customize your chart from the Options tab
You can access the following options for customizing chart properties and the display of metric data in your chart:
  • Convert metric data from bytes to bits
  • Convert metric data from base 2 (Ki=1024) to base 10 (K = 1000)
  • Change the y-axis in a time-series chart from linear to log scale
  • Abbreviate metric values in a chart (for example, abbreviate 16,130,542 bytes to 16.1 MB)
  • Sort metric data in ascending or descending order in a bar, list, or value chart
  • Change the percentile precision in a pie chart
  • Hide or display a chart legend
  • Hide inactive metrics with a zero value so that these metrics are not visible in the chart, including the legend and label
  • Include sparkline in a list or value chart
  • Display the alert status for data displayed in list or value charts (for more information, see Alerts concepts)
  • Switch the color display for metric data to grayscale (with exception to charts that display an alert status)
  • For IP address labels, display the hostname (if detected from DNS traffic in wire data) or origin IP address (if a proxy is detected from wire data)
Note:Some options are only available for specific chart types. For example, the option to include a sparkline only appears in the Options tab for list and value charts.
Create an ad hoc group to combine data from multiple sources
From the Metric tab, you can create an ad hoc group of multiple sources within a set by selecting Combine Sources. For example, you can combine two applications and then view a single metric value in the chart for both of these applications.

Next steps

Practice building charts by completing the following walkthroughs:

Edit a text box widget

If you want to include explanatory text next to your dashboard charts or display a company logo in your dashboard, you can edit a text box widget. With the text box widget, you can display text, links, images, or sample metrics in your dashboard.

The text box widget supports Markdown, which is a simple formatting syntax that converts plain text into HTML with non-alphabetic characters, such as “#” or “*”. New text box widgets contain Markdown examples. A text box widget is automatically provided each time you create a dashboard. You can also add a text box widget to your dashboard layout.

To edit an existing text box widget, complete the following steps:

  1. Log into the Web UI on the Discover or Command appliance and click Dashboards at the top of the page.
  2. Select a dashboard containing the text box you want to edit.
  3. Click the command menu in the upper right corner and select Edit Layout.
  4. Click the text box.
  5. Type and edit text in the left Editor pane.
    The HTML output text dynamically displays in the right Preview pane. With Markdown, you can format the following types of content:
  6. Click Save to close the Metric Explorer.

Format text in Markdown

The following table shows common Markdown formats that are supported in the text box widget.

Note:Additional Markdown format examples are provided in the GitHub Guides: Mastering Markdown. However, not all Markdown syntax formatting options are supported in the ExtraHop text box widget.
Format Description Example
Headings Place a number sign (#) before your text to format headings. The level of heading is determined by the amount of number signs. ####Example H4 heading
Unordered lists Place a single asterisk (*) before your text. * First example * Second example
Ordered lists Place a single number and period (1.) before your text. 1. First example 2. Second example
Bold Place double asterisks before and after your text. **bold text**
Italics Place an underscore before and after your text. _italicized text_
Hyperlinks

Place link text in brackets before the URL in parentheses. Or type your URL.

Links to external websites open in a new browser tab. Links within the ExtraHop Web UI,such as dashboards or custom pages, open in the current browser tab.

[Visit our home page](https://www.extrahop.com)

https://www.extrahop.com

Blockquotes Place a right angle bracket and a space before your text.

On the ExtraHop website:

> Access the live demo and review case studies.

Monospace font Place a backtick (`) before and after your text. `example code block`
Emojis Copy and paste a Unicode block emoji into the text box. Adding emojis in Markdown syntax is unsupported. For Unicode emojis examples, see the Unicode Emoji Chart website.  

Add images in Markdown

You can add images to the text box widget by linking to them. Make sure your image is hosted on a network that is accessible to the Discover appliance.

Links to images must be specified in the following format:

![<alt_text>](<file_path>)

Where <alt_text> is the alternative text for the image name and <file_path> is the path of the image. For example:

![Graph](/images/graph_1.jpg)
Note:You also can add images by encoding them to Base64. For more information, see the following post on the ExtraHop forum, “Putting Images in Text Boxes.”

Add metric examples in Markdown

You can write a metric query to include a metric value inline with text in the text box widget.

The basic format for writing metric queries is:

%%metric:<definition>%%

Where <definition> is replaced with a JSON-defined structure that is based on the ExtraHop REST API query structure.

Note:The following metric queries are unsupported in the text box widget:
  • Time-series queries
  • Mean calculations
  • Multiple object_ids
  • Multiple metric_spec
  • Multiple percentiles

A metric query must contain the following parameters:

  • object_type
  • object_ids
  • metric_category
  • metric_spec

To retrieve the object_type, metric_spec, and metric_category values for a metric name, complete the following steps:

  1. Click Settings
  2. Click Metric Catalog.
  3. Type the metric name in the search field.
  4. Select the metric, and look for the values in the REST API Parameters section.

For more information, see the Metric Catalog section.

You can retrieve object_ids from the URL that you are browsing. The table below describes the parameter for each object type.

Object Type URL Parameter
Application applicationOID=
Network networkOID=
Group deviceGroupOID=
Device deviceOID=
Metric query examples for the text box widget

The following examples show you how to write top-level, or base, metric queries for application, device, and network objects. You can also write a query for detail metrics.

Application metrics

To specify the All Activity object, the object_ids is “0”.

This example query shows how you can retrieve HTTP metrics from the All Activity object, and displays the following output: “Getting [value] HTTP requests and [value] HTTP responses from All Activity.

Getting
%%metric:{
"object_type": "application",
"object_ids": [0],
"metric_category": "http",
"metric_specs": [{"name":"req"}]
}%%HTTP requests and
%%metric:{
"object_type": "application",
"object_ids": [0],
"metric_category": "http",
"metric_specs": [{"name":"rsp"}]
}%%
HTTP responses from All Activity.
Device metrics

You must specify either a client (“_client”) or server (“_server”) in the metric_category. To retrieve metrics for a specific device, specify the device object ID number in object_ids. To retrieve the device object ID (deviceOid), search for the device object in the ExtraHop global search. Select the device from your search results. The “deviceOid=” value will be embedded in the URL query string.

This example query shows how to retrieve metrics from a device client object, and displays the following output: “Getting [value] CLIENT DNS response errors from a specific device.

Getting
%%metric:{"object_type": "device",
"object_ids": [8],
"metric_category": "dns_client",
"metric_specs": [{"name":"rsp_error"}]
}%%
CLIENT DNS response errors from a specific device.

This example query shows how to retrieve metrics from a device server object, and displays the following output: “Getting [value] SERVER DNS response errors from a specific device.

Getting
%%metric:{
"object_type": "device",
"object_ids": [156],
"metric_category": "dns_server",
"metric_specs": [{"name":"rsp_error"}]
}%%
SERVER DNS response errors from a specific device.
Network metrics

To specify All Networks, the object_type is “capture” and the object_ids is “0.” To specify a specific VLAN, the object_type is “vlan” and the object_ids is the VLAN number.

This example query shows how to retrieve metrics for all networks, and displays the following output: “Getting [value] broadcast packets from all networks.

Getting
%%metric:{
"object_type": "capture",
"object_ids": [0],
"metric_category": "net","metric_specs": [{"name":"frame_cast_broadcast_pkts"}]
}%%
broadcast packets from all networks.

This example query shows how to retrieve metrics for a specific VLAN and displays the following output: “Getting [value] broadcast packets from VLAN 3.

Getting
%%metric:{
"object_type": "vlan",
"object_ids": [3],
"metric_category": "net",
"metric_specs": [{"name":"frame_cast_broadcast_pkts"}]
}%%
broadcast packets from VLAN 3.
Group metrics

To specify a group, the object_type is “activity_group” or “device_group.” You must specify either a client (“_client”) or server (“_server”) in the metric_category. The object_ids for the specific group must be retrieved from the REST API Explorer.

This example query shows how to retrieve metrics for all networks, and displays the following output: “Getting [value] HTTP responses from the HTTP Client Activity Group.

Getting
%%metric:{
"object_type": "activity_group",
"object_ids": [17],
"metric_category": "http_client",
"metric_specs": [{"name":"req"}]
}%%
HTTP responses from the HTTP Client Activity Group.
Detail metrics

If you want to retrieve detail metrics, your metric query should contain additional key parameters, such as key1 and key2:

  • object_type
  • object_ids
  • metric_category
  • metric_spec
    • name
    • key1
    • key2
The key parameters act as a filter for displaying detail metric results. For non-custom detail metrics, you can retrieve detail metric parameters from the Metric Catalog. For example, type HTTP Responses by URI, and then look at the parameter values in the REST API Parameters section.
Important:You must supply the object_ids in your query.

This example shows how to retrieve HTTP requests by URI for the All Activity application (object_ids is “0”):

%%metric:{ 
"object_type": "application", 
"object_ids": [0],  
"metric_category": "http_uri_detail", 
"metric_specs": [{"name":"req"}] 
}%%

This example query shows you how to retrieve HTTP requests by URIs that contain a key value for “pagead2” for the All Activity application (object_ids is “0”):

%%metric:{ 
"metric_category": "http_uri_detail", 
"object_type": "application",
"object_ids": [0], 
"metric_specs": [ 
{ 
"name": "req", 
"key1": "/pagead2/" 
} 
] 
}%%

This example query shows how to retrieve count metrics for all networks and displays the following output: “Getting [value] detail ICA metrics on all networks.

Getting
%%metric:{
"object_type": "capture",
"object_ids": [0],
"metric_category": "custom_detail",
"metric_specs": [{
"name":"custom_count",
"key1":"network-app-byte-detail-ICA"
}]
}%%
detail ICA metrics on all networks.

This example query shows how to retrieve a custom dataset statistic with topn keys and percentiles, and displays the following output: “The fifth percentile is: [value].

The fifth percentile is:
%%metric:{
"object_type": "vlan",
"object_ids": [1],
"metric_category": "custom_detail",
"metric_specs": [{
"name": "custom_dset",
"key1": "myCustomDatasetDetail",
"key2": "/10.10.7/",
"calc_type": "percentiles",
"percentiles": [5]
}]
}%%
.
Note:Sampleset metrics are unsupported in the text box widget. For example, adding the “calc_type”: “mean” parameter to your text box query is unsupported.

Edit a dashboard region

Dashboard regions, which contain charts and widgets, are highly customizable. As you work with dashboards, you might need to frequently change or copy a region. You can only delete, resize, or rearrange a region by editing the dashboard layout.

To edit basic properties of a region in a dashboard, complete the following steps:
  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Select a dashboard with the region you want to edit.
  3. Click the region header to access the following options:
    Rename a region
    Add a custom name to the region.
    Modify sources
    Quickly replace the data sources for each chart in a region with a different source after copying a chart, region, or dashboards.
    Copy a region
    Hover over Copy to... and make one of the following selections:
    • Select the name of an existing dashboard from the list. The dashboard page opens and displays the location of the copied region.
      Tip:The dashboard list is ordered from the most recently created dashboards (at the bottom) to the oldest dashboards (at the top).
    • Select Create Dashboard. In the Dashboard Properties window, type a name for the new dashboard.
    Change the region time interval
    Apply a time interval to the entire region by enabling the Region Time Selector.
    Fullscreen
    Expand region contents into a fullscreen display.

Change the time interval for a dashboard region

In a dashboard, you can apply a time interval to an entire dashboard with the Global Time Selector, or apply a different time interval per region with the Region Time Selector.

  1. Log into the Web UI on Discover or Command appliance and then click Dashboards at the top of the page.
  2. Select a dashboard.
  3. Click the region header and then select Use Region Time Selector.
  4. Click Last 30 minutes and complete one of the following steps:
    • From the Time Interval tab, select one of the following options:
      • Select another time interval (such as Last 30 minutes, Last 6 hours, Last day, or Last week).
      • Specify a custom unit of time.
      • Select a custom time range. Click a day to specify the start date for the range. One click will specify a single day. Click another day to specify the end date for the range.
      • Compare metric deltas from two different time intervals.
    • From the History tab, select from up to five recent time intervals selected in a previous login session.
  5. Click Save to close the Region Time Selector.
    The new time interval is applied to all charts and widgets within the region.
  6. To remove the region time interval, click the region header and select Use Global Time Selector.
    When the time interval disappears from the region header, the global time interval is applied to the region.

Edit dashboard properties

To rename a dashboard, change the theme, or change the URL, you must edit the dashboard properties. When you create a dashboard, you have an opportunity to specify dashboard properties. However, you can change dashboard properties at any time.

You can only change properties for one dashboard at a time. You cannot multi-select dashboards and change a property, such as the dashboard theme.

  1. Log into the Web UI on the Discover or Command appliance and click Dashboards at the top of the page.
  2. Select the dashboard that you want to edit.
  3. Click the command menu in the upper right corner of the page and then select Dashboard Properties.
  4. In the Dashboard Properties window, you can modify the following fields:
    Title
    Rename the dashboard.
    Author
    Change the author name.
    Description
    Change the dashboard description. Note that the description is only seen when editing dashboard properties.
    Permalink
    Change the URL for the dashboard. By default, the permalink, also known as a short code, is a five-character unique identifier that appears after /Dashboard in the URL. You can change the permalink to a more user-friendly name.
    Note:The permalink can have up to 100 characters combining letters, numbers, and the following symbols: dot (.), underscore (_), dash (-), plus sign (+), parentheses ( ), and brackets ([ ]). Other alphanumeric characters are unsupported. The permalink cannot contain spaces.
    Sharing
    To share a dashboard with users who can view and edit, click the link. For more information, see Share a dashboard.
    Editors
    View the list of ExtraHop users with editing access to the dashboard. To change the users, click Sharing.
    Theme
    Select one of the following themes to change the colors and appearance of the dashboard:

    Light: White background with dark text.

    Dark: Black background with white text.

    Space: Dark background with a stylized background image and text.

  5. Click Save.

Present a dashboard

You can set your dashboard to display in fullscreen mode for presentations or for your network operation center screens.

The fullscreen mode provides the following viewing options:
  • You can view and interact with the entire dashboard while in Presentation Mode.
  • You can view a continuous cycle of each chart in the dashboard in a Widget Slideshow.
  • You can view a single region in fullscreen display.

To present an entire dashboard in fullscreen display, complete the following steps:

  1. Log into the Web UI on the Discover or Command appliance and click Dashboards in the top menu.
  2. Select the dashboard you want to present.
  3. In the upper right corner of the page, click the command menu and select one of the following options:
    Presentation Mode
    The dashboard dock and top navigation menus collapse. You can interact with the time interval and dashboard components while in presentation mode.
    Widget Slideshow
    A continuous cycle of charts and widgets in fullscreen display begins. Select how long you want each widget to display (for example, 20 seconds, 15 seconds, etc.). Click the x icon in the upper right corner of the screen to return to the dashboard.
    Tip:To open a dashboard in Presentation Mode, add /presentation to the end of the URL and then bookmark it. For example: https://<extrahop_ip>/extrahop/#/Dashboard/437/presentation

Share a dashboard

By default, all custom dashboards you create are private, which means that no ExtraHop users can view or edit your dashboard. However, you can share your dashboard by granting view or edit access to other ExtraHop users and groups. User and group information is imported into the ExtraHop system from LDAP (such as OpenLDAP or Active Directory).

Before you begin

Create a dashboard. You can also perform this procedure with a shared dashboard that you have edit access to.
Note:When you grant a user edit access, that user can modify and share the dashboard with others. However, other users cannot delete the dashboard. Only the dashboard owner can delete a dashboard.
  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. In the left pane, select a dashboard you want to share. You cannot share system dashboards or dashboards that you do not have edit access to.
  3. Click the command menu in the upper right corner of the dashboard page and select Share.
  4. Grant view or edit access by making one of the following selections:
    Type of Access Selection
    All ExtraHop users can view Select All users and groups can view; only specified users and groups.
    All ExtraHop users can view and only specific users can edit
    1. Select All users and groups can view; only specified users and groups.
    2. In the Specify users and groups field, type the name of a user or group, and then select the name from the drop-down list.
    3. Next to the name, select Can edit and click Add User or Add User Group.
    Only select ExtraHop users can view
    1. Select Only specified users or groups can view or edit.
    2. In the Specify users and groups field, type the name of a user or group, and then select the name from the drop-down list.
    3. Next to the name, select Can view and click Add User or Add User Group.
    Only select ExtraHop users can both view and edit
    1. Select Only specified users or groups can view or edit.
    2. In the Specify users and groups field, type the name of a user or group, and select the name from the drop-down list.
    3. Next to the name, select Can edit and click Add User or Add User Group.
    No ExtraHop users can view or edit (private dashboard) Your custom dashboard is set to private by default. If you shared your dashboard and then want to make it private again, select Only specified users or groups can view or edit and remove access.
  5. Click Save. If you shared your dashboard, a small gray icon will appear next to your dashboard in the dock.
    Note:How a user interacts with a dashboard and the information they can view in the ExtraHop system is determined by user privileges, which are assigned by the ExtraHop administrator. For more information, see the User privileges section in the ExtraHop Admin UI Guide.

Remove access to a dashboard

You can remove or modify dashboard access that you granted to users and groups.

  1. In the left pane, select the custom dashboard that you want to modify.
  2. Click the command menu in the upper right corner of the page and select Share.
  3. Remove access for users or groups by completing one of the following steps:
    • Remove all access for a user or group by clicking the red delete (x) icon next to the user or group name.
    • Remove edit access by selecting Can view from the drop-down list next to the user or group name.
  4. Click Save.

Export data

You can export chart data from the ExtraHop system in CSV and XLSX formats.

You can also create PDFs of ExtraHop charts, pages, and dashboards.

Export data to Excel

  1. Log into the Web UI on the Discover appliance.
  2. Navigate to a dashboard or protocol page.
  3. Right-click any chart, table, or metric and select Export to Excel.

Export data to CSV

  1. Log into the Web UI on the Discover appliance.
  2. Navigate a dashboard or protocol page.
  3. Right-click any chart, table, or metric and select Export to CSV.

Create a PDF file

You can export data from a dashboard, protocol page, or individual chart as a PDF file.

  1. Find the dashboard or protocol page that contains the data you want to export and complete of one of the following steps:
    • To create a PDF file of the entire page, click the command menu in the upper right corner of the page and select Print (from the Discover appliance) or Export to PDF (from the Command appliance).
    • To create a PDF file of an individual chart or widget, click the chart title and select Print (from the Discover appliance) or Export to PDF (from the Command appliance) from the drop-down menu.
  2. A PDF preview dialog opens. Complete one of the following steps:
    • Click Print Page and then select PDF as the destination from the print settings in your browser.
    • From a Discover appliance, click Print Widget and select PDF as the destination from the print settings in your browser.
    • From a Command appliance, select PDF format customizations and then click Export to PDF. The process for generating a PDF might take several seconds.
    Tip:To access PDF print options through a keyboard shortcut, type pp.

Customize the format of a PDF file

When creating a PDF file of a dashboard or protocol page from a Command appliance, you have several options for customizing the appearance of your PDF file.

  1. Type a custom name for your PDF file or accept the default name.
  2. Choose one of the following page width options:
    Narrow
    Displays large text in chart titles and labels, but provides less space for displaying chart data. Long chart titles and labels might be truncated.
    Medium
    (Recommended) Displays a view of chart titles, legends, and data that is optimized for portrait page orientation.
    Wide
    Displays small text in chart titles and labels, but provides more space for displaying chart data.
  3. Choose one of the following page break options:
    Single page
    Displays the entire dashboard or protocol page on a single, continuous page. This setting might generate a PDF file that is larger than standard printer page sizes.
    Page break per region
    Displays each chart region on an individual page.
  4. Choose one of the following themes:
    Light
    White background with dark text.
    Dark
    Black background with white text.
    Space
    Dark background with a stylized background image and text.
  5. Click Export to PDF. The process for generating a PDF might take several seconds.

Next steps

The PDF file will download to your local computer. Each PDF file includes the dashboard title and time interval. Click View report on ExtraHop to open the original dashboard set to the time interval specified in the PDF file.

Organize custom and shared dashboards

You can filter, sort, rearrange, and create folders to help you organize dashboards within the dashboard dock (left pane) on the Dashboards page.

By default, dashboards are placed within the following dock folders:
Dashboard Inbox
Displays a list of dashboards that have been shared with you by other users. The Dashboard Inbox folder appears only if one or more dashboard have been shared with you.
My Dashboards
Displays a list of dashboards that you created. You can keep your dashboards private or share them with other users. Editing access to your dashboard can be granted on a per-user or user group basis. For more information, see Share a dashboard.
System Dashboards
Displays the Activity and Network dashboards, which are built-in dashboards that provide you with a general overview of network behavior and health. You can copy a system dashboard, but you cannot be delete, modify, move, or share these dashboards.

To organize dashboards across the dock, you can filter and sort dashboards with the controls at the top of the dashboard dock. You can also create and add custom dashboard folders.

Here are some considerations about organizing dashboards:
  • The dock must be in Edit Dock mode to rearrange dashboards. Click the command menu in the lower right corner of the dashboard dock and then select Edit Dock. You can also type the keyboard shortcut, OD. Click the Exit Edit Mode icon in the lower right corner of the dock when you are finished.
  • You cannot rearrange dashboards in the dock when they are sorted in ascending or descending order. You must first select the Custom Order icon at the top of the dashboard dock, as shown in the following figure.

  • You cannot move dashboards in or out of the System Dashboards folder.
  • When you filter dashboards, only the dashboards or folders that match the search string appear in the dashboard dock.
  • You cannot remove dashboards from the dock unless you delete them. To hide a dashboard, you can move the dashboard into a custom folder.
    Important:If you are a dashboard owner and you delete your dashboard from the dock, you cannot recover it. You can recover a shared dashboard that you deleted from the dock if the dashboard owner removes your access and shares with you again.

Create dashboard folders

You can create folders to organize dashboards in the dashboard dock. First create the folder, then edit the dock to add dashboards to the folder.

  1. Log into the WebUI on the Discover or Command appliance and click Dashboards at the top of the page.
  2. In the bottom corner of the dashboard dock, click the command menu , and then click New Folder.
  3. Type a name for the folder and then click Save.
    An empty dashboard folder is added to the bottom of the dashboard dock.
  4. In the bottom corner of the dashboard dock, click the command menu , and then click Edit Dock.
  5. Click-and-drag dashboards into the folder. Note that you cannot add system dashboards to a custom folder.
  6. Optional: Click-and-drag the folder to a new location within the dashboard dock. You must have the sort option at the top of the dashboard dock set to Custom Order. You cannot rearrange dashboards and folders when they are sorted by ascending or descending order.
  7. In the bottom corner of the dashboard dock, click the Exit Edit Mode icon.
    Tip:You can type the following keyboard shortcuts to perform these steps:
    • NF - Create a dashboard folder
    • OD - Edit the dashboard dock

Chart types

Dashboard charts in the ExtraHop system offer multiple ways to visualize metric data, which can help you answer questions about your network behavior.

You select a chart type when you edit a chart in the Metric Explorer. But how do you know which chart to select? It helps to first decide which question you want to answer:
  • To learn how a metric changes over time, select a time-series chart such as the area, column, line, line & column, or status chart.
  • To learn how a metric value compares to a complete set of data, select a distribution chart such as the box plot, candlestick, heatmap, or histogram chart.
  • To learn the exact metric value for a time period, select a total value chart such as the bar, list, pie, table, or value chart.
  • To learn the alert status of this metric, select the list, status, or value chart.

Find more answers in the Charts FAQ.

The following table provides a list of chart types and overviews. Click on the chart type to see more details and examples.

Chart Type Description Type
Area chart Displays metric values as a line that connects data points over time, with the area between the line and axis filled in with color. Time-series
Column chart Displays metric data as vertical columns over a selected time interval. Time-series
Line chart Displays metric values as data points in a line over time. Time-series
Line & Column chart Displays metric values as a line, which connects a series of data points over time, with the option to display another metric as a column chart underneath the line chart. Time-series
Status chart Displays metric values in a column chart and the status of an alert assigned to both the source and metric in the chart. Time-series
Box plot chart Displays variability for a distribution of metric data. Each horizontal line in the box plot includes three or five data points. Distribution
Candlestick chart Displays variability for a distribution of metric data over time. Distribution
Heatmap chart Displays a distribution of metric data over time, where color represents a concentration of data. Distribution
Histogram chart Displays a distribution of metric data as vertical bars or bins. Distribution
Bar chart Displays the total value of metric data as horizontal bars. Total value
List chart Displays metric data as a list with optional sparklines that represent data changes over time. Total value
Pie chart Displays metric data as a portion or percentage of a whole. Total value
Table chart Displays multiple metric values in a table, which can be easily sorted. Total value
Value chart Displays the total value for one or more metrics. Total value

Area chart

Metric data is displayed as data points over time connected by a line, with the area between the line and the x-axis filled in with color.

If your chart contains more than one metric, data for each metric is displayed as an individual line, or a series. Each series is stacked together to illustrate the cumulative value of the data.

Select the area chart to see how the accumulation of multiple metric data points over time contribute to a total value. For example, an area chart can reveal how various protocols contribute to total protocol activity.

For more information about displaying rates in your chart, see the Display rates section.

The following figure shows an example of an area chart.



Bar chart

The total value of metric data is displayed as horizontal bars.

Select the bar chart when you want to compare the data for more than one metric for a selected time interval.

The following figure shows an example of a bar chart.



Box plot chart

The box plot chart displays variability for a distribution of metric data. You can only display data from dataset metrics, such as server processing time, in this chart.

Each horizontal line in the box plot includes three or five data points. With five data points, the line contains a body bar, a vertical tick mark, an upper shadow line, and a lower shadow line. With three data points, the line contains a vertical tick mark, an upper shadow, and lower shadow. For more information about displaying specific percentile values in your chart, see Display percentiles.

The following figure shows an example of a box plot chart.



Candlestick chart

The candlestick chart displays variability for a distribution of metric data over time. You can only display data from dataset metrics or high-precision network (L2) byte and packet metrics.

Vertical lines at each time interval displays three or five data points. If the line has five data points, it contains a body, middle tick mark, an upper shadow line, and a lower shadow line. If the line has three data points, it contains a middle tick mark. For more information about displaying specific percentile values in your chart, see Display percentiles.

Select the candlestick chart to view the variability of data calculations for a specific period of time.

The following figure shows an example of a candlestick chart.



Column chart

Metric data is displayed as vertical columns over time. If your chart contains more than one metric, data for each metric is displayed as an individual column or as a series. Each series is stacked together to illustrate the cumulative value of the data.

Select the column chart to compare how accumulation of multiple metric data points at a specific time contribute to the total value.

The following figure shows an example of a column chart.



Heatmap chart

The heatmap chart displays a distribution of metric data over time, where color represents a concentration of data. You can only select a dataset metric to display in the chart, such as server processing time or round trip time.

Select the heatmap when you want to identify patterns in the distribution of data.

Here are some important considerations about the heatmap chart:
  • The heatmap legend displays the color gradient that corresponds to the data range in the chart. For example, the darker color on the heatmap indicates a higher concentration of data points.
  • The default data range is between the 5th and 95th percentiles, which filters outliers from the distribution. Outliers can skew the scale of data displayed in your chart, making it more difficult to spot trends and patterns for the majority of your data. However, you can choose to view the full range of data by changing the default filter in the Options tab. For more information, see Filter outliers.
  • The dashboard properties theme, such as Light, Dark, or Space, affects whether a dark or light color indicates a higher concentration of data points.

The following figure shows an example of a heatmap chart.



Histogram chart

The histogram chart displays a distribution of metric data as vertical bars, or bins. You can only select a dataset metric to display in this chart, such as server processing time or round trip time.

Select the histogram chart to view the shape of how data is distributed.

Here are some important considerations about the histogram chart:
  • The default data range is from the 5th to 95th percentile (5th-95th), which filters outliers from the distribution. The minimum to maximum (Min-Max) view displays the full data range. Click the magnifying glass in the upper right corner of the chart to toggle between the two views.
  • Data is automatically distributed into bins on either a linear or log scale based on the data range. For example, when the data range spans several orders of magnitude, data is placed into bins on a log scale. Min-Max (log) appears in the upper right corner of the chart.
  • Click-and-drag to zoom in on multiple bins or a specific bin. Click the magnifying glass again in the upper right corner of the chart to zoom out to the original view (either 5th-95th or Min to Max).
    Note:Zooming in to view a custom time interval does not change the global or region time interval.
  • Your toggle selection (between the 5th-95th and Min-Max views) will persist for your chart, but not for the users that you shared your dashboard and chart with. To set a persistent toggle selection before sharing a dashboard, see Filter outliers.

The following figure shows an example of a histogram chart.



Note:This chart does not support baselines or threshold lines.

Line chart

Metric data is displayed as data points over time that are connected in a line. If your chart contains more than one metric, data for each metric is displayed as an individual line or as a series. Each series overlaps.

Select the line chart to compare changes over time.

The following figure shows an example of a line chart.



Line & column chart

Metric data is displayed as data points over time connected by a line, with the option to display a column chart underneath the line chart. For example, if your chart contains more than one metric (for example, HTTP Requests and HTTP Errors), you can select Display as Columns to display one of the metrics as a column chart underneath the line chart.

Columns are displayed in the color red by default. To remove the red color, click Options and deselect Display columns in red.

Select the line & column chart to compare different metrics at different scales in one chart. For example, you can view error rates and the total number of HTTP responses in one chart.

The following figure shows an example of a line & column chart.



List chart

Metric data is displayed as a list. Select the list chart to view long lists of metric values, such as detail metrics.

This chart includes the following options:
  • Add a sparkline, which is a simple area chart placed inline with the metric name and value. A sparkline shows how data changed over time. Click the Options tab and select Include Sparkline.
  • Display the metric value in an alert status color. Different colors indicate the severity of the configured alert. For example, if an alert threshold is crossed for a metric that is displayed in the list chart, the value for that metric appears in red. Click the Options tab and select Use color to show alert status.
Note:This chart does not support baselines or threshold lines.

The following figure shows an example of a list chart.



Pie chart

Metric data is displayed as a portion or percentage of a whole. If your chart contains more than one metric, data for each metric is represented as single slice, or series, in the pie chart.

Select the pie chart to compare the metric values that are mutually exclusive, such as status code detail metrics for the top-level HTTP Response metric.

This chart includes the following options:
  • Display as a donut chart. Click the Option tab and select Show total value.
  • Specify the decimal precision, or the number of digits, displayed in your chart. Percentile precision is useful for displaying ratios of data, especially for service-level agreements (SLAs) that might require precise data for reporting. Click the Options tab, and in the Units section, select Show percents instead of counts. Then select 0.00% or 0.000% from the drop-down list.

The following figure shows an example of a pie chart.



Status chart

Metric data is displayed in a column chart. The color of each column represents the most severe alert status of the configured alert for the metric. You can only select one source and metric to display in this chart.

To view the status of all of the alerts associated with the selected metric category, click Show Related Alerts. A list of alerts is then displayed below the column chart.

Select the status chart to see how data and the alert status for your metric change over time.

Note:This chart does not support baselines.

The following figure shows an example of a status chart.



Table chart

Metric data is displayed across rows and columns in a table. Each row represents a source. Each column represents a metric. You can add multiple sources (of the same type) and metrics to a table.

Select the table chart when you want to view metric data in a grid and easily sort values across multiple metrics.
Note:This chart does not support baselines or threshold lines.

The following figure shows an example of a table chart.



Value chart

The total value for one or more metrics is displayed as a single value. If you select more than one metric, metric values are displayed side-by-side.

Select the value chart to see the total value of important metrics, such as the total number of HTTP errors occurring on your network.

This chart includes the following options:
  • Add sparklines, which is a simple area chart placed underneath the metric value. A sparkline shows how data changed over time. Click the Options tab and select Include Sparkline.
  • Display the metric value in an alert status color. Different colors indicate the severity of the configured alert. For example, if an alert threshold is crossed for a metric, the value appears in red. Click the Options tab and select Use color to show alert status.
Note:This chart does not support baselines or threshold lines.

The following figure shows an example of a value chart.



Create a chart

Charts are an essential tool for visualizing, analyzing, and understanding network behavior. You can create a custom chart from a dashboard or protocol page to visualize data from any of the 4,000+ built-in metrics or custom metrics available in the ExtraHop system. For example, if you observe an interesting server metric while troubleshooting, you can create a chart to visualize and further analyze that metric. Custom charts are then saved to dashboards.

The following steps show you how to quickly create a blank custom chart:

  1. Log into the Web UI on the Discover or Command appliance and complete one of the following steps:
    • Click Dashboards at the top of the page.
    • Click Metrics at the top of the page. Select a source from the left pane, and then click the name of an application, device, device group, or network from the center pane. A protocol page for the source appears.
  2. Click the command menu in the upper right corner of the page and then select Create Chart.
  3. Edit the chart in the Metric Explorer.
  4. To save your chart, click Add to Dashboard and complete one of the following steps:
    • Select the name of an existing dashboard from the list. The dashboard list is ordered from the most recently created dashboards (at the bottom) to the oldest dashboards (at the top).
    • Select Create Dashboard. In the Dashboard Properties window, type a name for the new dashboard and then click Create.
    Tip:Here are some other ways to create a chart:
    • If you find a chart you like on a protocol page or dashboard, you can recreate and save that chart to your dashboard. Click the chart title and then select Create Chart From....
    • You can edit a dashboard layout and click-and-drag a new chart widget onto the dashboard.

Next steps

After you create a chart, learn more about working with dashboards:

Copy a chart

If you want to duplicate a useful chart or widget, you can copy it to a new region in a dashboard. Copied widgets must be saved to a dashboard. Copied widgets are always placed into a new region, which you can later modify.

  1. Log into the Discover or Command appliance and then click Dashboard at the top of the page.
  2. Select a dashboard that contains the chart or widget that you want to copy.
  3. Click the title.
    Note:You cannot click the title of a text box widget. To copy a text widget, you must first edit the dashboard layout. Click the command menu in the upper right corner of the text box widget, and then complete step 4.
  4. Hover over Copy to… to expand a drop-down list and then make one of the following selections:
    • Select the name of an existing dashboard from the list. The dashboard list is ordered from the most recently created dashboards (at the bottom) to the oldest dashboards (at the top).
    • Select Create Dashboard. In the Dashboard Properties window, type a name for the new dashboard and then click Create.

Drill down

Chart metrics often raise questions about behavior in your environment. For example, if you find a large number of DNS request timeouts on your network, you might wonder which DNS servers are experiencing those timeouts. ExtraHop drill down functionality can help answer that question and other questions that come up when viewing charts.

The ExtraHop system enables you to easily drill down from a top-level metric into specific details about the devices, methods, or resources associated with that metric. When you drill down on a metric by a key (such as a client IP address or resource), the ExtraHop system calculates a topnset of up to 1,000 metric value-key pairs.

Drill down on metrics from device or application protocol pages

When you see an interesting top-level metric about protocol activity on a device, a device group, an activity group, or an application page, you can drill down to investigate which factors are linked to that activity. Drilling down on a metric lets you investigate metric values broken down by key, such as client IP address, server IP address, methods, or resources.

  1. Click Metrics and then click Device, Device Group, Activity Group, or Application in the left pane.
  2. Click a device, group, or application name.
  3. Click on a metric value or a metric label in the chart legend. A menu appears.
    Tip:You can also click a drill-down shortcut button in the Drill Down section in the upper right corner of the page.
  4. In the Drill down by… section, select a key. A drill-down metrics page with a topnset of metric values by key appears. You can view up to 1,000 key values in a topnset.
    Tip:If a View More link appears at the bottom of a chart, click View More to drill down on the metric displayed in the chart.
Drill down on flow network metrics

When you see an interesting top-level metric about network activity on a flow network or flow interface page, you can drill down to investigate which factors are linked to the activity. Drilling down on a metric lets you investigate metric values broken down by peer IP addresses, protocols and ports, conversations, and sender and receiver IP addresses.

  1. Click Metrics and then click Networks in the left pane.
  2. Click a flow network or flow interface name.
  3. Click a metric value or a metric label in the chart legend. A menu appears.
  4. In the Drill down by… section, select a key. For example, in the Endpoints region, you can drill down on charts by peer IP addresses.
    You will navigate to a page that contains a table of metric values by key from a topnset. You can view up to 1,000 key values in a topnset.
    Note:For drill-down metric values, which are not polled automatically, you will see the snapshot of the global time interval, which includes a blue refresh icon and gray text that indicates when the metric or record query was last polled. To reload the metrics for the specified time interval, click the refresh icon in the Global Time Selector display.
Drill down on network capture and VLAN metrics

When you see an interesting top-level metric about network activity on a Network capture or VLAN page, you can identify which devices are linked to that activity.

Note:For information about how to drill down on metrics from a flow network or flow network interface page, see the Drill down on flow network metrics section.
  1. Click Metrics.
  2. Click Networks in the left pane.
  3. Click a network capture or VLAN interface name.
  4. Click a network layer in the left pane, such as L3 or L7 Protocols. Charts that display metric values for the selected time interval appear. For most protocols and metrics, a Device table also appears at the bottom of the page.
  5. Click the chart data, which updates the list to display only the devices that are associated with the data.
  6. Click a device name. A Device page appears, which displays traffic and protocol activity associated with the selected device.
Investigate drill-down metrics by key

Drilling down on a metric lets you view metric values by key, such as client IP address, server IP address, methods, or resources. On the drill-down, or detail metric, page, there are several ways to interact with value-key pairs, which help you to learn how a specific device, method, or resource is linked to network activity.

The following figure shows all the available options for exploring detail metrics:

Filter results
You can filter drill-down results in the following ways:
  • Type in the filter field to dynamically filter results
  • Click the Any Field drop-down list and make a selection
  • Choose an operator to define parameters for your filter:
    • Select = to perform an exact string match.
    • Select to perform an approximate string match. The ≈ operator supports regular expression.
      Note:To exclude a result, enter a regular expression. For more information, see Create regular expression filters in a chart.
    • Select > or to perform a match for values greater than (or equal to) a specified value.
    • Select < or to perform a match for values less than (or equal to) a specified value.

Click Add filter to save the filter settings. You can save multiple filters for one query. Saved filters are cleared if you select another key from the Details section in the left pane.

Observe changes over time in the chart
You can observe how a metric value changed over the selected time interval in the chart above the table. Select an individual row or multiple rows to change chart data. Hover over data points in the chart to view more information about each data point.
Pivot to more data
You can view metric values for different keys by clicking key names in the Details section in the left pane. If available, click a device name in the table to navigate to a Device page, which displays traffic and protocol activity associated with that device.
Adjust time interval and compare data from two time intervals
You can change the time interval in the Global Time Selector to view metric values from different time intervals. You can also perform a metric delta comparison from two different time intervals in the same table. For more information, see Compare metric deltas.
Note:The global time interval in the upper left corner of the page includes a blue refresh icon and gray text that indicates when the drill-down metrics were last polled. To reload the metrics for the specified time interval, click the refresh icon in the Global Time Selector display. For more information, see View the latest data for a time interval.
Sort data in columns
You can sort by metrics to learn which keys are associated with the largest or smallest metric values. For example, when you drill down on HTTP responses by client for an HTTP server, you can sort on processing time to see which clients experienced the longest website load times. You can then click the host name to navigate to the Device page to learn more about the client.
Note:When you drill down on a response, request, or network byte metric, related metrics such as processing time are included in the table. For example, when you drill down on CIFS responses by files, related metrics such as goodput bytes and access time appear in the far right columns in the table.
Change data calculation for metrics
You can change the following calculations for metric values displayed in the table:
  • If you have a count metric in the table, click Count in the Options section in the left pane and then select Average Rate. Learn more in the Display a rate or count in a chart topic.
  • If you have a dataset metric in the table, click Mean in the Options section in the left pane and then select Summary. When you select Summary, you can view the mean and the standard deviation.
Export data
You can download a PDF, CSV, or Excel file with all the drill-down results by right-clicking on the table.
Add drill down metrics to chart

You can add drill-down metrics to charts on protocol pages and dashboards. When you drill down on a metric in the Metric Explorer, you can view up to 20 top key values in a chart for a specific time interval. A key can be a client IP address, hostname, method, URI, referrer, or more. For example, if your chart displays a total count for HTTP Requests, you can drill down by client to view the IP addresses that sent the most requests to your web servers.

  1. Log into the Web UI on the Discover or Command appliance.
  2. Navigate to a dashboard or protocol page.
  3. Click the chart title and then select Edit.
  4. In the Details section, click Drill down by <None>, where <None> is the name of the drill-down metric key currently displayed in your chart.
  5. Select a key from the drop-down list.
    Note:If you have more than one source selected in your metric set, such as two devices, the sources are automatically combined into an ad hoc source group as you drill down. You cannot deselect the Combine Sources checkbox. To view drill-down metrics for each source, you must remove a source from the metric set and then click Add Source to create a new metric set.
    If drill-down metric data for a common key is available for all of the metrics in a metric set, the drill-down metrics automatically appear in the drop-down list, as shown in the following figure. If a drill-down metric in the list is grayed out, data is unavailable for all of the metrics in that metric set. For example, client, server, and URI data are available for both HTTP Requests and HTTP Responses metrics in the metric set.

  6. You can filter drill-down metric keys with an approximate match, regular expression (regex), or exact match through one of the following steps:
    • In the Filter field, select the icon to display keys by an approximate match or with regex. You must omit forward slashes with regex in the approximate match filter.
    • In the Filter field, select the = icon to display keys by an exact match. In the Filter field, select the = icon to display keys by an exact match.
  7. Optional: In the top results field, enter the number of keys that you want to display. These keys will have the highest values.
  8. To remove a drill-down selection, click the x icon.
    Note:You can display an exact key match per metric, as shown in the following figure. Click the drill-down metric name (such as All Methods) to select a specific drill-down metric key (such as GET) from the drop-down list. If a key appears gray (such as PROPFIND), drill-down metric data is unavailable for that specific key. You can also type a key that is not in the drop-down list.

Display a rate or count in a chart

You can visualize errors, responses, requests, and other count metric data in a chart as a per second rate or as a total number of events over time. For high-precision Network Bytes and Network Packets metrics, you have the additional options to view the maximum, minimum, and average rate per second in a chart.

When editing a chart in the Metric Explorer, you can select a count or rate by clicking the drop-down link below the metric name, as shown in the following figure.

In addition, you can select from the following options for displaying rates and counts. Note that the type of metric you select affects which rate or count is automatically displayed.

Average rate
Calculates the average metric value per second for the selected time interval. For network-related metrics, such as Response L2 Bytes or NetFlow Bytes, the average rate per second is automatically displayed.
Count
Displays the total count of events for the selected time interval. For the majority of count metrics, such as errors, requests and responses, the count is automatically displayed.
Rate summary
Calculates the maximum, minimum, and average metric value per second. For high-precision metrics, such as Network Bytes and Network Packets, these three rates are automatically displayed in the chart as a summary. You can also select to view only the maximum, minimum, or average rate in a chart. High-precision metrics are collected with a 1-second level of granularity and are only available when you configure your chart with a network capture or device source.
Display the average rate in a chart

If you configured a chart with an error, response, request, or other type of count metric, then the total number of events over time is automatically displayed. You can further edit the chart to display an average rate per second for your data.

Before you begin

Create a chart and select a count metric, such as errors, requests, or responses, as your source. Save your chart to a dashboard.
The following steps show you how to add an average rate to an existing dashboard chart:
  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and select Edit.
  3. Click Count below the metric name.
  4. Select Average Rate from the drop-down list. The unit “/s” is applied to metric units. You can toggle back to the count at any time.
  5. Click Save to close the Metric Explorer.
    Tip:When you select more than one count metric in a chart, avoid displaying rates and counts together in the same chart. It can skew the scale of the y-axis. The y-axis will include a "/s" on tick labels only if all metrics are displaying rates.
Display the maximum rate in a chart

To display a maximum rate per second of a metric in a chart, you must configure a chart with a high-precision metric.

The following steps show you how to configure a chart that displays a maximum rate:

  1. Log into the Web UI on the Discover or Command appliance and complete one of the following steps:
    • To create a new chart, click the command menu in the upper right corner of the page and then select Create chart.
    • To edit an existing chart, click Dashboards at the top of the page. Select a dashboard containing the chart that you want to edit. Click the chart title and select Edit.
  2. Click Add Source and select one of the following sources:
    • A network capture that is not a flow network.
    • A device, such as a server or client.
  3. Search for and select one of the following metrics:
    For a network capture source
    • Network Bytes (total throughput)
    • Network Packets (total packets)
    For a device source
    • Network Bytes (combined inbound and outbound throughput by device)
    • Network Bytes In (inbound throughput by device)
    • Network Bytes Out (outbound throughput by device)
    • Network Packets (combined inbound and outbound packets by device)
    • Network Packets In (inbound packets by device)
    • Network Packets Out (outbound packets by device)
  4. Select a chart type that is compatible with count metrics (includes line, value, column, bar, pie, and list charts).
    The default display for a high-precision metric is a rate summary that automatically displays the maximum, average, and minimum rate.
  5. Click Rate Summary below the metric name.
  6. Select Maximum Rate from the drop-down menu.
  7. Click Save to close the Metric Explorer.

Display percentiles or a mean in a chart

If you have a set of servers that are critical to your network, viewing the 95th percentile of server processing time in a chart can help you gauge how much servers are struggling. Percentiles are statistical measures that can show you how a data point compares to a total distribution over time.

You can only display percentile value and mean (average) calculations in charts that contain dataset or sampleset metrics. Dataset metrics are associated with timing and latency, such as server processing time and round trip time metrics. Sampleset metrics provide summaries of detail timing metrics, such as server processing time broken down by server, method, or URI.

When editing a chart in the Metric Explorer, you can select percentiles or the mean by clicking the drop-down link below the dataset or sampleset metric name, as shown in the following figure.

The Metric Explorer provides the following calculations for displaying percentiles and the mean.
Summary

For dataset metrics, the Summary is a range that includes the 95th, 75th, 50th, 25th, and 5th percentile values.

For example, each line in a candlestick chart contains five data points. If Summary is selected, the main body of the line represents the range from the 25th percentile to the 75th percentile. The middle tick mark represents the 50th percentile (median). The upper shadow above the body line represents the 95th percentile. The lower shadow represents the 5th percentile.

For sampleset metrics, the Summary displays the +/-1 standard deviation and the mean values. In the candlestick chart, the vertical tick mark in the line represents the mean, and the upper and lower shadows represent the standard deviation values.

Mean
The calculated average of data.
Median
The 50th percentile value of a dataset metric.
Maximum
The 100th percentile value of a dataset metric.
Minimum
The 0th percentile value of a dataset metric.
Percentile
A custom range of three or five percentile values for a dataset metric.
Display a custom range of percentiles

You can display a custom range of three or five percentile values for server processing time or round trip time metrics. You cannot display custom percentiles in a pie or status chart.

Before you begin

Create a chart and select a dataset or sampleset metric, and save it to a dashboard.

The following steps show you how to add a custom percentile range to an existing dashboard chart:

  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart you want to edit.
    2. Click the chart title and select Edit.
  3. Click Summary below the metric name.
  4. Select Percentile... from the drop-down list.
  5. In the Set Percentiles field, type a number for each percentile value, separated by a comma. For example, to view the 10th, 30th, and 80th percentiles, type 10, 30, 80.
  6. Click Save. Your custom range is now displayed in the chart. You can toggle between your custom range and other percentile selections, such as Summary or Maximum, at any time.
  7. Click Save again to close the Metric Explorer.
Filter outliers in histogram or heatmap charts

Histogram and heatmap charts display a distribution of data. However, outliers can skew how the distribution displays in your chart, making it difficult to notice patterns or average values. The default filter option for these charts excludes outliers from the data range and displays the 5th-95th percentiles. You can change the filter to view the full range of data (minimums to maximums), including outliers, in your chart by completing the following procedure.

  1. Click the chart title and then select Edit to launch the Metric Explorer.
  2. Click the Options tab.
  3. From the Default filter drop-down list in the Filters section, select Min to Max.
  4. Click Save to close the Metric Explorer.

Edit metric labels in a chart legend

You can change the default metric label in a chart to a custom label. For example, you can change the default label, "Network Bytes," to a custom label such as "Throughput."

Custom labels only apply to individual charts. A custom label for a metric will persist if you copy the chart to another dashboard, share a dashboard with another user, or add new metrics to your chart.

However, if you make changes to the original metric, such as updating the data calculation (from median to 95th percentile, for example) or drilling down on the metric, the custom label will automatically clear. The label clears to prevent mislabeling or potential inaccuracy of the custom label when metric data changes.

Here are some considerations about changing the label of a chart legend:

  • For detail metrics, a custom label is automatically appended to all the keys displayed in the chart. However, you can change the order of the key in the label by including the variable, $KEY:
    • Type $KEY errors to display 172.21.1.1 errors
    • Type [$KEY] errors to display [172.21.1.1] errors
  • You cannot change labels in the box plot, candlestick, heatmap, table, or status charts.
  • You cannot rename metric delta or dynamic baseline labels.

Before you begin

Create a chart and select a metric.

The following steps show you how to change metric labels in an existing dashboard chart:

  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and select Edit.
  3. In the preview pane of the Metric Explorer, click the metric label.
  4. Select Rename from the drop-down menu.
  5. In the Display custom label field, type a new label. The label must be unique from other labels in the chart.
  6. Click Save, and then click Save again to close the Metric Explorer.
    The new label appears in your chart.

Add a dynamic baseline to a chart

Dynamic baselines help distinguish between normal and abnormal activity in your chart data. Baselines are only supported in the area, candlestick, column, line, and line & column charts.

Discover appliances calculate dynamic baselines based on historical data. To generate a new data point on a dynamic baseline, an appliance calculates the median value for a specified period of time.

Warning:Deleting or modifying a dynamic baseline can delete baseline data from the system. If a dynamic baseline is not referenced by any dashboards, the data will be deleted from the system to free unused system resources. You cannot recover a dynamic baseline after it is deleted.

Select a baseline type that best fits your environment. For example, if you regularly see dramatic changes from one day to another, select an hour-of-week baseline that compares activity seen on specific days of the week. If HTTP activity spikes on Saturdays, the hour-of-week baseline can help you compare the current spike in HTTP activity with the level seen on other Saturdays at the same hour. The following table describes how each type of baseline is calculated:

Baseline type Historical data What the baseline compares New baseline data points added
Hour of day 10 days Metric values from a given hour of a day. For example, every day at 2:00 PM. Every hour
Hour of week 5 weeks Metric values for a given hour on a specific day of the week. For example, every Wednesday at 2:00 PM. Every hour
Short-term trend 1 hour Metric values from each minute in one hour. Every 30 seconds

Here are some important considerations about adding a baseline to a chart:

  • Dynamic baselines require a Discover appliance to calculate and store baseline data. Therefore, creating a baseline consumes system resources, and configuring too many baselines might degrade system performance.
  • Deleting or modifying a dynamic baseline can delete dynamic baseline data from the Discover appliance.
  • Detail , sampleset, maximum rate, and minimum rate metrics are unsupported. If these types of metrics are selected in your chart, you will be unable to generate a dynamic baseline for this data.
  • The Discover appliance can begin building a dynamic baseline only if the necessary amount of historical data is available. For example, an Hour of day baseline requires 10 days of historical data. If the Discover appliance has only been collecting data for six days, the appliance will not begin plotting the baseline until it has four more days worth of data.
  • The Discover appliance does not retroactively plot a dynamic baseline for historical data. The Discover appliance only plots a dynamic baseline for new data.
  • If two identical dynamic baselines exist in separate dashboards, the dashboards reuse the baseline data; however, the baselines must be identical. If you select a new baseline type, the new dynamic baseline will not share data with the previous dynamic baseline.

The following steps show you how to add a dynamic baseline to an existing dashboard chart:

  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and then select Edit.
  3. Click the Analysis tab.
  4. In the Dynamic Baselines section, select one of the following dynamic baseline type options:
    Option Description
    Hour of day Displays the median value for a given hour of the day. This option is most useful if activity in your environment usually follows a consistent daily pattern. If you regularly see dramatically different levels of activity on different days of the week, this option is less useful because the baseline usually does not match the current values.
    Hour of week Displays the median value for a given hour on a specific day of the week. This option is most useful if you regularly see significantly different levels of traffic during each day of the week.
    Short-term trend Displays the median value for the last hour. This option is useful for smoothing chart data to reveal short-term trends.
  5. Click Save to close the Metric Explorer and return to the dashboard.
    The ExtraHop system will begin calculating the dynamic baseline. New baseline data points are added every hour or 30 seconds, as shown in the following figure.

Add a static threshold line to a chart

Displaying a static threshold line in a chart can help you determine which data points are either below or above a significant value.

For example, you can create a line chart for server processing time to help you monitor the performance of an important database in your network environment. By adding a threshold line that defines an service level agreement (SLA) boundary of acceptable processing time, you can see when database performance is slowing down and address the issue.

You can add one or more threshold lines as you edit a chart with the Metric Explorer. These lines are local to the chart and not associated with other widgets or alerts. Threshold lines are only available for area, candlestick, column, line, line & column, and status charts.

The followin steps show you how to add a static threshold line to an existing dashboard chart:

  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and then select Edit.
  3. Click the Analysis tab.
  4. In the Static Thresholds section, click Add Threshold Line.
  5. In the Value field, type a number that indicates the threshold value for the line. This value determines where the line appears on the y-axis of your chart.
    Note:For charts that display only count metrics (such as bytes, errors, and responses), the value of the threshold line automatically scales based on whether data is displayed as a rate or count. When data is only displayed as a count, the threshold line value automatically scales to the roll up period (either 30 seconds, 5 minutes, 1 hour, or 1 day). The data roll up period is determined by the time interval you select.
  6. In the Label field, type a name for your threshold line.
  7. In the Color field, select a color (gray, red, orange, or yellow) for your threshold line.
  8. Click Save to close the Metric Explorer.

Display device group members in a chart

If you have a chart that displays a device group, you can view metrics by top devices in the group, instead of viewing a single value for the entire device group. Drilling down by group member in the Metric Explorer lets you view up to 20 devices in the chart.

Before you begin

Create a chart that contains a device group or activity group as the selected source. Save the chart to a dashboard.

If you see fewer groups members in a chart than the number of results you specified, this could be because you selected an activity group with a small number of devices. For activity groups, devices are dynamically placed into an activity group based on the type of protocol traffic they are associated with.

  1. Log into the Web UI on the Discover or Command appliance and then click Dashboards at the top of the page.
  2. Launch the Metric Explorer to edit the chart by completing the following steps:
    1. Select a dashboard containing the chart that you want to edit.
    2. Click the chart title and select Edit.
  3. In the Details field, click Drill down by <None>, where <None> is the name of the detail metric currently displayed in your chart. Then, select Group Member.
  4. In the top results field, enter the number of group members that you want to display. These devices will have the highest metric values. You can display up to 20 group members.
  5. Click Save to close the Metric Explorer.
    Note:If you drill down by group member, you cannot perform additional drill downs to see detail metrics for each device by a key. To see detail metrics by key for a device, we recommend creating another chart with specific devices selected as the source.

Create regular expression filters in a chart

Regular expression (regex) is supported in the Metric Explorer when drilling down for detail metrics. The following examples will help you create regex strings for filtering detail metrics keys, such as IP addresses.

Note:In the ExtraHop system, regex is most effective when you want to filter metric data by a parameter contained within the metric key, such as a number within any IP address. Regex is not effective for filtering for details by an exact match, such as filtering to specify an exact IP address.
Chart Scenario Regex filter How it works
Compare HTTP status codes 200 to 404. (200|404) Matches 200 and 404 codes where the | symbol serves as an OR function.
Display all HTTP 400 and 500 error codes occurring on your network. ^[45] Matches a 4 or 5 in the status code.
Display any IP address with a 187. 187. Matches 1, 8, and 7 characters in the IP address.
Review all IP addresses containing 187.18. 187\.18\. Matches 187 and the character . that follows the 187. For example, this filter returns results for 187.18.0.0.0, 180.187.0.0.0, or 187.180.0.0.0/16.
Display any IP address except 187.18.197.150. ^(.(?!187.18.197.150))*$ Matches anything except 187.18.197.150.

Find all devices talking to external IP addresses

The following steps show you how to find all of the external IP addresses that your devices are talking to. You can then see if any devices are making or receiving unauthorized connections from other devices outside of your network.

Tip:You can also accomplish this task through Network locality entryoperations in the REST API Explorer.
  1. Log into the Web UI on the Discover or Command appliance.
  2. Click Metrics at the top of the page.
  3. Click Activity Groups in the left pane.
  4. Click TCP Devices. At the top of the page, the External Accepted and External Connected metrics display how many IP addresses outside of your internal network are actively connected to all of your network devices.
  5. Click the blue metric value for either metric.
  6. In the Drill Down by… section, select Group Member. A detail metric page appears and shows all of the names of your network devices and the number of connections to external IP addresses.
  7. Click on a device name that you want to investigate. A protocol page for that device appears, which contains metrics related to the device.

Monitor a device for external IP address connections

If you have an authentication server or database that should not connect to IP addresses outside of your internal network, you can create a value chart in a dashboard that tracks External Accepted and External Connected metrics. From your dashboard, you can then monitor the number of external connections for a specific device.

The following steps show you how to create a value chart for these TCP metrics and then add the chart to a dashboard.
Tip:You can also accomplish this task through Network locality entryoperations in the REST API Explorer.
  1. Log into the Web UI on the Discover or Command appliance.
  2. Click Metrics at the top of the page.
  3. Click Devices in the left pane.
  4. Find a device and then click the device name.
  5. Click TCP in the left pane. In the Total Connections chart in the upper left corner, the External Accepted and External Connected metrics display how many IP addresses outside of your internal network are connected to the device.
  6. Click the Total Connections chart title.
  7. From the drop-down menu, select Create chart from…. The Metric Explorer opens with the device and TCP metrics already selected in the chart.
  8. At the bottom of the Metric Explorer, click the Value chart.
  9. In the left pane in the Metric section, click the x icon to delete each TCP metric that you do not want to view in the chart, as shown in the following figure.


    Your dashboard now contains metrics that help you track the ratio of all accepted connections to external accepted connections, and the ratio of all initiated connections to external initiated connections.
  10. Optional: Make additional edits to the chart with the Metric Explorer.
  11. Click Add to Dashboard and complete one of the following options:
    • Select the name of an existing dashboard from the list. The dashboard list is ordered from the most recently created dashboards (at the bottom) to the oldest dashboards (at the top).
    • Select Create Dashboard. In the Dashboard Properties window, type a name for the new dashboard and then click Create.
  12. Optional: Make additional edits to the dashboard layout.
  13. Click Exit Layout Mode. Your dashboard is complete.

Compare metric deltas

Metric delta comparison helps you see differences in data from two time intervals side-by-side in the same chart. If you create a comparison and navigate to another area of the Discover appliance, the comparison is disabled temporarily. When you return to your original page, the delta comparison you saved is enabled again.

  1. Find a chart with the metrics that you want to compare.
  2. In the upper left hand corner of the navigation bar, click the time interval.
  3. In the Time Interval tab, click Compare.
  4. In the Delta Comparison tab, select the time interval to compare with the original time interval.
  5. Click Save. New metric data from the Delta Comparison time interval is placed on the original chart.
  6. To remove the delta comparison, complete the following steps:
    1. Click the time interval.
    2. Click Remove Delta.
    3. Click Save.
    Note:Dynamic baselines will not appear on a chart when you are comparing metric deltas.

Generate an activity map

An activity map is a dynamic visual representation of L4-L7 protocol activity between devices. You can generate an activity map for a single device, device group, or activity group for the selected time interval. Then, view traffic by servers or clients to see which devices are talking to each other over a specific protocol.

  1. Log into the Web UI on a Discover or Command appliance and then click Metrics at the top of the page.
  2. Complete one of the following steps:
    • Click Devices in the left pane and then click an individual device name.
      Note:You cannot generate an activity map for an L2 device (which only has a MAC address associated it) or for an L3 device in limited analysis. Make sure that you select an L3 device in full analysis. For more information about L2 devices, L3 devices, and limited analysis, see the Device Discovery FAQ.
    • Click Activity Groups in the left pane and then click an activity group name.
    • Click Device Groups in the left pane and then click a device group name.
  3. In the View section in upper right corner of the page, click Activity Map.


    An activity map opens and displays the device or group as the map origin.
  4. Optional: In the From section in the left pane, click the device or group name. A drop-down list appears. Search for and select another device or group to dynamically update the map origin for the current map you are viewing.


    Note: If you select a device, activity map, or device group without associated protocol activity, an activity map will generate without any data.

Next steps

  • View traffic from your origin device to servers and clients by completing the following steps:
    • In the To section, click the field. A drop-down list appears with devices listed by protocol and role.
    • Select a name from the list. Click Add to select another level of protocol device traffic to your map.
  • Pan across the map by clicking-and-dragging your mouse, and zoom on the map by scrolling with your mouse or clicking the controls in the bottom right of the screen.
  • Access device protocol pages or records for the transaction between devices by clicking a circle or line. (Explore appliance only)
  • Export an activity map by clicking on the command menu in the upper right corner and selecting the type of file to download.
  • View your map in a 3D layout by clicking the command menu in the upper right corner of the map and selecting View 3D Layout.
  • Hover over a circle or line to view labels that include device and protocol names.

Sort metrics

On an application protocol page, if a metrics section on a protocol page contains a gear icon in the upper right corner, the metrics in that section can be sorted by key or value.

  1. Navigate to a protocol page by clicking Metrics and then select an application.
  2. Click the gear icon.
  3. Select Sort by Key or Sort by Value.

Create a chart from a protocol page

Protocol pages contain a large amount of metrics and data. While you cannot modify the charts on protocol pages, you can create a copy of an interesting chart on a protocol page and then add the copied chart to a dashboard. Your dashboard can be then modified and shared with other team members.

  1. Click Metrics and then select a source in the left pane.
  2. Find the chart that you want to copy. Click the chart title and select Create Chart. The Metric Explorer opens with the source and metric selected.
    Note:If you find a chart on an Application or Network Capture page, click Create Chart in the upper right corner of the page.
  3. Edit the chart as needed.
  4. Click Add to Dashboard:
    • Select Create Dashboard to create a dashboard, and then click Create.
    • Select an existing dashboard from the list, and then click Close.

Charts FAQ

Here are some answers to frequently asked questions about charts.

How do I create a chart?
You can create a chart in one of the following ways:
  • Create a new dashboard. An empty chart will appear in your new dashboard, which you can then edit with the Metric Explorer.
  • Add a new chart to an existing dashboard by editing the dashboard layout. In the upper right corner, click the properties menu and select Edit Dashboard Layout. You can then add new empty chart widgets to your dashboard.
  • Create a new chart based on a built-in chart from a protocol page. Click the chart title and select Create Chart from.... You can then save your chart to a dashboard.
How do I edit an existing chart?

Click on the chart title and select Edit. You edit a chart with the chart-building tool called the Metric Explorer. In the Metric Explorer, you select a source, protocol metrics to display from that source, and a chart type.

Which chart type should I select to compare data?
The following chart types are helpful if you want to compare two metrics together, for example the total number of requests compared to the total number of responses.
  • Bar chart
  • List chart
  • Table chart
  • Value chart
Which chart type should I select to observe changes over time?
The following chart types are helpful if you want to observe how a metric, such as errors, changes over time.
  • Line chart
  • Area chart
  • Column chart
When should I create a box plot, candlestick, or histogram chart?
Box plot, candlestick, and histogram charts help you visualize the statistical distribution of data for timing metrics in the ExtraHop system. Timing metrics include server processing time and round trip time.

Box plot chart: Displays the distribution summary of a single metric. You can compare different metrics such as processing time (for application latency) and round trip time (for network latency) side-by-side.

Candlestick chart: Displays changes to the distribution summary for a single metric over time.

Histogram chart: Displays the entire distribution for a single metric. Data is placed into bins instead of percentiles. Histograms help you quickly find outliers, because you can interpret the value of each bin, rather than interpret percentiles.

Note:Depending on the type of metric you select, you can view the distribution of metric activity as percentiles or as a mean and standard deviation. The box plot and candlestick charts display inner quartiles by default (5th, 25th, 50th, 75th, and 95th percentiles). Drill down on a timing metric to view the mean and standard deviation of a timing metric broken down by client, server, and other factors.
When should I create a heatmap?

A heatmap displays a distribution of percentiles over time. You can only view timing metrics such as server processing time and round trip time in a heatmap. For example, a heatmap is useful for identifying concentrations of high server latency at a specific time.

What are maximum, minimum, and average rates?

Network byte and packet data can be displayed in a chart as a maximum, minimum and average per second rate. The Rate Summary in a chart displays these three rates together.

Configuring a chart to display the Rate Summary is only available for high-precision metrics, where metric data is aggregated into 1-second intervals. In the ExtraHop system, high-precision metrics are Network Bytes and Network Packets. For more information, see Display a rate or count in a chart.

Can I add trend lines to my chart?

You can add a dynamic baseline to your chart. A baseline is essentially a trend line that is calculated based on historical data. Baselines help you distinguish between normal and abnormal activity in your chart data.

The Discover appliance does not begin calculating a dynamic baseline until the setting is enabled from the Options tab in the Metric Explorer. Therefore, dynamic baselines only appear for time periods that occur after the baseline was enabled. For more information, see Add a dynamic baseline to a chart.

You can also add a static threshold line to your chart. A threshold line helps you determine if activity is falling above or below a specific value, which is helpful for monitoring service level agreement (SLA) compliance. For more information, see Add a static threshold line to a chart

How do I add a rate to my chart?

Count metrics, such as errors, requests, and responses, are displayed as total counts in charts by default. But you can also display these metrics as a rate in a chart.

Below the metric name in the Metric Explorer, click Count, and select the type of rate to display.

For more information, see Display a rate or count in a chart.

How do I change the units in my chart?

You can change units from bytes to bits, linear to log scale, or from the decimal prefix (1,000 bytes) to binary prefix (1,024 bytes). You can also abbreviate values in bar, value, and list chart types. Click the Options tab when editing a chart in the Metric Explorer.

How do I change a chart name?

Click the chart title and select Rename.

How do I change the labels in my chart?

You can rename metric labels that appear in the legend for most charts. Click on the metric label in the chart and select Rename. This option is not available for box plot, candlestick, heatmaps, or status chart types.

Why do I see Incompatible selections when I hover over a chart type?

Some chart types are only compatible with certain types of metrics. When editing a chart, you might see an Incompatible selections message as you hover over a chart type. This message means that the metric you already selected is incompatible with the chart type.

For example, If you selected an error, request, response, or network bytes metric, you will see an Incompatible selection message as you hover over the following chart types:
  • Heatmap
  • Histogram
  • Candlestick
  • Box plot

These chart types are only compatible with timing metrics such as server processing time and round trip time.

Why is there no data in my chart?

There might not be activity for the source or protocol metric you selected for your chart during the time interval you selected. Adjust the time interval to see if data appears in your chart.

If you are not seeing the traffic you are expecting, contact ExtraHop Support for help.

Activity dashboard

From the Activity dashboard, you can monitor general information about application activity and performance from the transport through the application layers (L4 - L7) on your network.

Each chart in the Activity dashboard contains visualizations of protocol metric data, organized by region. You cannot edit or delete the Activity dashboard. However, you can create your own custom dashboard to monitor specific metrics that are relevant to you.

The following information summarizes each region and its charts.

Traffic Overview
Determine whether traffic bottlenecks are related to a specific application protocol or network latency. The Traffic Overview region contains the following charts:

Network Packets by L7 Protocol Avg Rate chart: Find the protocol that has the highest volume of packet transmissions over the application layer (L7) during the selected time interval.

All Activity Network Round Trip Time: The 95th percentile line shows you the upper range of the time that it took for packets to traverse the network. If this value is over 250ms, then network issues could be slowing down application performance. Round trip time is a measurement of the time between when a client or server sent a packet and received an acknowledgment.

Alert History: View up to 40 of the latest alerts that were generated, and their severity levels. Alerts are user-configured conditions that establish baseline values for specific protocol metrics.

Active Protocols

Determine how application performance is affected by the protocols that are actively communicating over the wire. For example, you can quickly glance at charts that display server processing times and the ratio of errors to responses per protocol.

There is a chart for each active protocol. If you do not see a protocol you were expecting, applications might be not communicating over that protocol for the selected time interval.

For more information about protocols and to view metric definitions, see the ExtraHop Protocol Metrics Reference.

Note:In the ExtraHop Command appliance, you can display the Activity dashboard for each Discover appliance. The appliance name appears in the navigation bar; click the down arrow next to the appliance name to pivot the display to other Discover appliances.

Check out the following guides and resources that are designed to familiarize new users with our top features.

Network dashboard

From the Network dashboard, you can monitor how effectively data is transmitted over the data link, network, and transport (L2 - L4) layers.

Each chart in the Network dashboard contains visualizations of network metric data, organized by region. You cannot edit or delete the Network dashboard. However, you can create your own custom dashboard to monitor specific metrics that are relevant to you.

The following information summarizes each region.

Network L2 Metrics
Monitor the throughput rates over the data link (L2) layer by bits and packets, and monitor the types of frames transmitted. You can also determine how much data is sent to receivers by unicast, broadcast, or multicast distribution.
Network L4 Metrics
Monitor data transfer latency over the transport layer (L4). View TCP activity through connection, request, and response metrics. This data can indicate how effectively data is sent and received across the transport layer in your network.
Network Performance
Monitor how network performance is affecting applications. View overall network throughput by reviewing the throughput per application protocol and the magnitude of high TCP round trip times.
Network L3 Metrics
View data throughput at the network layer (L3) and see packets and traffic by TCP/IP protocols.
DSCP
View a breakdown of packets and traffic by Differentiated Services code points, which is part of the DiffServ network architecture. Every IP packet contains a field to express the priority of how the packet should be handled, which is called differentiated services. The values for the priorities are called code points.
Multicast Groups
View traffic that is sent to multiple receivers in a single transmission, and see packets and traffic by each receiver group. Multicast traffic on a network is organized into groups based on destination addresses.
Note:In the ExtraHop Command appliance, you can display the Network dashboard for each Discover appliance. The appliance name appears in the navigation bar; click the down arrow next to the appliance name to pivot the display to other connected Discover appliances.

Metrics concepts

Metrics are measurements of network behavior. Metrics help you to gain visibility into what is happening in your network in real-time. In the ExtraHop system, metrics are calculated from wire data, and then associated with devices and protocols. The ExtraHop system provides a large number of metrics, which you can explore from protocol pages in the Metrics section of the ExtraHop Web UI. You can also search for metrics in the Metric Catalog, in the Metric Explorer, and by searching for metrics by source and then protocol.

Types of metrics

Each metric in the ExtraHop system is classified into a metric type. Understanding the distinctions between metric types can help you configure charts or write triggers to capture custom metrics. For example, a heatmap chart can only display dataset metrics.

Count
The number of events that occurred over a specific time period. You can view count metrics as a rate or a total count. For example, a byte is recorded as a count, and can either represent a throughput rate (as seen in a time series chart) or total traffic volume (as seen in a table). Rates are helpful for comparing counts over different time periods. A count metric can be calculated as a per-second average over time. When viewing high-precision, or 1-second, bytes and packet metrics, you can also view a maximum rate and minimum rate. Count metrics include errors, packets, and responses.
Distinct count
The number of unique events that occurred during a selected time interval. The distinct count metric provides an estimate of the number of unique items placed into a HyperLogLog set during the selected time interval.
Dataset
A distribution of data that can be calculated into percentiles values. Dataset metrics include processing time and round trip time.
Maximum
A single data point that represents the maximum value from a specified time period.
Sampleset
A summary of data about a detail metric. Selecting a sampleset metric in a chart enables you to display a mean (average) and standard deviation over a specified time period.
Snapshot
A data point that represents a single point in time.
Tip:Visit the Tip of the Week: Metric Types post on the ExtraHop community forum.

Metric sources

In the ExtraHop system, a metric is a measurement of observed network behavior. Metrics are generated from network traffic, and then each metric is associated with a source, such as an application, device, or network. When you select a source from the Metrics section of the Web UI, or in the Metric Explorer when building a chart, you can view metrics associated with that source. Each source provides access to a different collection of metrics.

Select from the following sources and groups as you configure dashboard widgets or navigate across protocol pages.

Applications

An application is a user-defined container that you can associate with multiple devices and protocols for a unified view of built-in metrics.

These containers can represent distributed applications on your network environment. For example, if you want a unified view of all the network traffic associated with a website—from web transactions to DNS requests and responses to database transactions—you can create a custom application that contains all of these related metrics.

The ExtraHop Web UI enables you to create basic applications that filter metrics by protocol. For advanced applications, you must write a trigger, which requires JavaScript code. For example, you must write a trigger to apply advanced filters for collecting metrics, to create custom application metrics, or to collect metrics from non-L7 traffic.

For more information about creating applications, see Create an application through the Web UI and Create an application through the Trigger API.

Networks

A network capture is the entry point into network devices and virtual LANs (VLANs) that are detected from wire data by the ExtraHop system. A flow network is a network device, such as a router or switch, that sends information about flows seen across the device. A flow network can have multiple interfaces.

Devices

Devices are objects on your network with a MAC address and IP address that have been automatically discovered and classified by the ExtraHop system. Metrics are available for every discovered device on your network. An L2 device has a MAC address only; an L3 device has an IP address and MAC address.

For more information about how devices are automatically discovered and classified by the ExtraHop system, see Device discovery.
Device groups

A device group is a user-defined collection of devices that can help you track metrics across multiple devices. You can create a dynamic device group by automatically adding all devices that meet matching criteria, or you can create a static device group by manually selecting individual devices.

Matching criteria for dynamic device groups can be a hostname, IP address, MAC address, or any of the filter criteria listed for the device on the Devices page. For example, you can create a dynamic group and then configure a rule to add all devices within a certain IP address range to that group automatically.

Activity groups

An activity group is a collection of devices automatically grouped together by the ExtraHop system based on network traffic. A device with multiple types of traffic might appear in more than one activity group; for example, if a CIFS client is authenticating through LDAP, the device will appear in both the CIFS Clients and the LDAP Clients activity groups. Activity groups make it easy to identify all the devices associated with a protocol, or determine which devices were associated with protocol activity during a specific time interval.

Create custom metrics

In addition to analyzing built-in protocol metrics in the ExtraHop system, you can create your own custom metrics to collect specific information about your environment. Creating a custom metric requires two parts: specifying metric parameters in the Metric Catalog and building a trigger to discover, collect, and store custom metric data. In this topic, you will learn how to create a custom metric from the Metric Catalog first and find links to resources for planning and building a trigger.

By creating a custom metric from the Metric Catalog first, you can add the new metric to a dashboard or chart before custom metric data is collected. If you build a trigger for a custom metric first without specifying metric parameters, you might not be able to access the custom metric until data is observed and collected by the ExtraHop system.

The following steps show you how to create a custom metric with the Metric Catalog.

Before you begin

Be aware that the parameters you specify in the Metric Catalog become part of the code that is referenced by a trigger. Parameters such as the metric name and metric type cannot be changed after creating the custom metric in the Metric Catalog. Before you create a custom metric or write a trigger, identify which events and devices are needed to extract the data you need and determine whether a solution already exists. For more information, see Triggers.
  1. Log into the Web UI on the Discover or Command appliance and click the System Settings icon at the top of the page.
  2. Click Metric Catalog.
  3. Click the command menu and select Create Metric Manually.
  4. In the Parameters section, complete the following steps to create the code that will be referenced by a trigger:
    1. In the Metric field, type a unique name for your metric. The trigger method that collects data for your custom metric must reference the exact metric name that you specify in the Metric field. Avoid spaces between words by typing underscores. When defining a detail metric name, specify the detail key in the name by appending the metric name with .by_<key_name_without spaces>, where <key_name_without_spaces> is the key metric name.
    2. In the Source Type field, select a source, or class, from the drop-down list that you want to retrieve data from. For more information about these classes, see General purpose classes in the Trigger API Reference.
    3. In the Metric Type field, select an option from the drop-down list that specifies how data will be stored and viewed in the ExtraHop system. The Metric Type selection appears in triggers as part of the method name, such as metricAddCount or metricAddDataset. For more information, see ExtraHop data types in the Trigger API Reference.
    4. In the Type field, select one of the following options:
    • Select Base Metric. A base, or top-level metric, includes the metric types, count, dataset. The Type selection appears in triggers as part of the method name, for example metricAddDataset.
    • Select Detail Metric. A detail metric consists of key-value pairs, where the key is a string or IP address and the value is a top-level metric type such as a count or dataset metric. The Type selection appears in triggers as part of the method name, for example metricAddDetailDataset.
    Important:Selections made in the Parameters section cannot be changed after you create the custom metric.
  5. In the Display section, complete the following steps to specify metric information that is searchable by ExtraHop users in the ExtraHop Web UI:
    1. In the Name field, type a user-friendly display name for your metric that is displayed in search results and charts in the ExtraHop system. You can include spaces in the display name.
    2. Optional: In the Units field, select an option from the drop-down list if you know the unit of measure to display in a chart for your metric data.
    3. Optional: In the Description field, type information that is displayed with search results for your metric in the ExtraHop system. The custom base metric description is automatically displayed for the detail metric in search results.
    4. Optional: (For detail metrics only) In the Key Label field, type a display name for the set of keys in your metric. For example, you can create the key label, User Agent, for a custom metric that collects requests per HTTP user agent. Key labels do not need to be unique.
  6. Optional: In the Detail Relationships section, complete one of the following steps if you want to associate a custom base metric with a custom detail metric:
    • (For base metrics) In the Detail Metrics field, click the field and search for a custom metric that you want users to view by drilling down from the custom metric. You can leave this blank if you do not want to provide drill-down data for your custom metric.
    • (For detail metrics) In the Base Metric field, select a top-level metric from the drop-down list that you want to associate with your custom detail metric. You can leave this blank if you do not want to associate additional metrics with your custom metric.
  7. When you are satisfied with the parameters, click Create. Your custom metric parameters are added to the ExtraHop system. REST API parameters for your metric appear in the Metric Catalog. You can now search for your metric and add your metric to charts.
    Important:You must build a trigger to discover, collect, and store custom metric data.

Next steps

Delete a custom metric

If you want to stop collecting custom metric data and remove the custom metric from the ExtraHop system, you must disable the trigger and then delete the custom metric entry from the Metric Catalog.

  1. Log into the Web UI on the Discover or Command applianceand click the Systems Setting icon at the top of the page.
  2. Click Triggers.
  3. Find the trigger associated with the custom metric you want to delete. Select the checkbox next to the trigger name and then click Disable. The trigger will stop collecting data for your custom metrics.
  4. Close the Trigger window and click the System Settings icon again.
  5. Click Metric Catalog.
  6. To delete a single custom metric, complete the following steps:
    1. Search for the metric and select it from the list.
    2. Click the command menu next to the Type to filter field and select Delete Selected Metric.
  7. To delete multiple custom metrics, complete the following steps:
    1. Search for a common term shared by the custom metrics you want to delete.
    2. Click the command menu next to the Type to filter field.
    3. Select the Custom Metrics Only checkbox. Built-in metrics are excluded from the search results.
    4. Select Delete All Matching Metrics. You can delete up to 1,000 metrics that match the search term even if they are not on the current page.
    5. Click Delete x Metrics to confirm their deletion.

Time intervals

The Time Selector is displayed in the top-left corner of the navigation bar and controls the global time interval for metrics displayed in the ExtraHop Web UI. Navigating from one area to another will not change the time interval for the metrics you are viewing. Whether you are viewing metrics in a dashboard, or drilling-down to view detailed metrics, the time interval stays the same.

Here are some considerations about time intervals:

  • Time intervals are preserved for each login session. Logging out of the Discover appliance will reset the global time interval to the last 30 minutes. You can access the five most recent unique time intervals from the History tab of the Time Selector.
  • The time interval is included at the end of the URL in your browser. To share a link with others that maintains a specific time interval, copy the entire URL. To maintain a specific time interval after logging out of the Discover appliance, bookmark the URL.
  • The time interval associated with the collection and presentation of network data is determined by your local NTP server by default. You can change the system time in the ExtraHop system from the Admin UI. For more information, see Configure the system time in the Admin UI Guide.

Change the time interval

This procedure shows you how to set the global time interval. You can also apply a time interval by dashboard or by region.
  1. Click the time interval in the upper left corner of the page (for example Last 30 minutes).
  2. Select from the following interval options:
    • A preset time interval (such as Last 30 minutes, Last 6 hours, Last day, or Last week).
    • A custom unit of time.
    • A custom time range. Click a day to specify the start date for the range. One click will specify a single day. Clicking another day will specify the end date for the range.
    • Compare metric deltas from two different time intervals.
  3. Click Save.
Tip:You can also set the time interval from the History tab by selecting from up to five recent time intervals set in a previous login session.

View the latest data for a time interval

On a dashboard page, metric data is reloaded automatically. For time intervals such as the last 30 minutes, day, or week, dashboards continuously update to display the latest data for that time interval.

On a protocol page, detail metrics page, or records query page, metric data are reloaded on request. On these pages, the time interval includes a blue refresh icon and gray text that indicates when the metric or record query was last loaded. To reload the metrics or query for the specified time interval, click the refresh icon.



Change chart data granularity

The ExtraHop system stores metrics in 30-second buckets of time. Metric data are then aggregated or rolled up into additional five-minute and one-hour buckets. Aggregating data helps to limit the number of data points rendered on a time-series chart so the granularity of data is easier to interpret. The time interval you select determines the best aggregation, or roll up, of data to display in a chart for the period of time you are viewing.

For example, if you select a large time interval, such as one week, metric data is aggregated into one-hour roll ups. On the x-axis of a line chart, you see a data point for every hour instead of a data point for every 30 seconds. If you want to increase the level of granularity, you can zoom in on a chart or change the time interval.

The ExtraHop system includes built-in high-precision metrics with 1-second roll ups, which are the Network Bytes and Network Packets metrics. These metrics are associated with a device or network capture source. For more information on how to view these metrics in a chart, see Display the maximum rate in a chart.

The following table provides information about how data is aggregated based on time interval.

Time Interval Aggregation Roll Up (if available) Notes
Less than six minutes 1-second A 1-second roll up is only available for custom metrics and for the following built-in metrics:
  • Network source > Network Bytes (total throughput)
  • Network source > Network Packets (total packets)
  • Device source > Network Bytes (combined inbound and outbound throughput by device)
  • Device source > Network Bytes In (inbound throughput by device)
  • Device source > Network Bytes Out (outbound throughput by device)
  • Device source > Network Packets (combined inbound and outbound packets by device)
  • Device source > Network Packets In (inbound packets by device)
  • Device source > Network Packets Out (outbound packets by device)
120 minutes or less 30-second If a 30-second roll up is not available, a 5-minute or 60-minute roll up displays.
Between 121 minutes and 24 hours 5-minute If 5-minute roll up is not available, a 60-minute roll up displays.
Greater than 24 hours 60-minute
Note:If you have an extended datastore that is configured for 24-hour metrics, a specified time interval of 30 days or longer displays a 24-hour aggregation roll up.

Zoom in on a time range

You can click-and-drag across a chart to zoom in on interesting metric activity. This custom time interval is then applied across the ExtraHop Web UI, which is useful for investigating other metric activity that occurred at the same time.

Zooming in on a time range is only available in charts with an x- and y-axis, such as line, area, candlestick, and histogram charts.

  1. Click-and-drag your mouse across the chart to select a time range. If the time range is less than one minute, the time range appears red. Drag the mouse until the time range appears green.
  2. Release the mouse button. The chart is redrawn to the custom time range and the time interval in the upper right corner of the navigation bar is updated.
  3. To revert from the custom time interval to your original time interval, click the undo icon—a magnifying glass with a minus sign—which is displayed next to the time interval in the upper right corner of the navigation bar.
    Tip:On a dashboard page, you can limit the zoom-in custom time interval to a specific region. Click the region header, select Use Region Time Selector, and then zoom in on a chart. Each chart or widget within that region is updated to the custom time interval.

Alerts concepts

Alerts make it easy to inform your teams when critical network, device, or application events occur, such as Software License Agreement (SLA) violations. You can configure alert settings to track specified criteria and generate alerts when configured conditions are met.

When an alert is generated, you can also direct the ExtraHop system to send an email message or an SNMP trap to designated people in your organization. You can also configure time ranges in which alerts are suppressed, such as weekends, to reduce unnecessary alerts.

Alerts are displayed on the Alert History page, which enables you to quickly assess the severity of the alert and view the source of the alert.

Alert types

You can configure threshold and trend alert settings in the ExtraHop Web UI. The ExtraHop system also generates alerts through anomaly detection, which is available with a subscription to the ExtraHop Addy™ service.

Addy Anomaly alerts
Anomalies are unexpected deviations from normal patterns in device or application behavior. Unlike threshold and trend alerts, which require you to configure alert conditions, anomalies are automatically detected by ExtraHop Addy. Addy is a cloud-based service that applies machine learning techniques to detect anomalies in your IT environment.

The focus of this topic is for threshold and trend alerts and how to configure them in the ExtraHop Web UI, but you can learn how to get started with Addy in the ExtraHop Addy User Guide.

Threshold alerts
Threshold-based alerts are generated when a monitored metric crosses a defined value in a time period. Threshold alerts are useful for monitoring occurrences such as error rates that surpass a comfortable percentage or SLA-violations.
Trend alerts
Trend-based alerts are generated when a monitored metric deviates from the normal trends observed by the system. Trend alerts are useful for monitoring metric trends such as unusually high round-trip times or storage servers experiencing abnormally low traffic, which might indicate a failed backup.

Trend alert settings are more complex than threshold alerts, and are useful for metrics where thresholds are difficult to define.

Alert conditions

An alert is generated when the alert conditions that you configure are met. The areas of consideration are different depending on the alert type. For anomaly alerts, the monitored protocols and the firing mode are considered. For threshold or trend alerts, the monitored metric, the firing mode, and the alert expression are considered.

Monitored protocols
Specifies which protocols are watched by the alert configuration. The ExtraHop system generates an alert only if an anomaly is detected from traffic that is over a specified protocol.
Monitored metric
Specifies the metric tracked by the alert configuration. The ExtraHop system watches for instances when the value of the metric crosses a defined threshold or diverges from the trend. Threshold alert settings can track a top-level or detail metric, but trend alert settings can only track a top-level metric.
Firing mode
Specifies how often an alert is generated. Specify the edge-triggered alert option to issue a single alert when conditions are met even if the condition is ongoing. Specify a level-triggered alert option to issue alerts at specified intervals for as long as the conditions are true.
Alert expression
Specifies when to issue an alert. A series of options, such as the time interval, the metric value, and the rate, are combined to determine the alert expression. For example, you can set options to issue a threshold alert when the value of the monitored metric falls below 100 per second in a 1 minute interval. Options available for an alert expression vary by alert type and other configuration settings.

The values for each area are combined to determine the alert conditions; as the system monitors the specified metric, if the alerts conditions are met, the system issues an alert based on the specified firing mode and the alert type.

For example, the following alert conditions result in a threshold alert when an HTTP 500 status code is observed more than 100 times during a ten minute period:

Monitored metric: extrahop.device.http_server:status_code?500

Firing mode: Edge-triggered

Alert expression: Value over 10 minutes > 100 per interval

Or, you can specify a per second, minute, or hour rate. For example, the following alert conditions result in a threshold alert when an HTTP 500 status code is observed more than 30 times per minute during a 10 minute period:

Monitored metric: extrahop.device.http_server:status_code?500

Firing mode: Edge-triggered

Alert expression: Value over 10 minutes > 30 per minute

The alert conditions for a trend alert are slightly different than for a threshold alert. The following settings result in a trend alert when a spike (75th percentile) in HTTP web server processing time that lasts longer than 10 minutes, and where the metric value of the processing time is 100% higher than the trend:

Monitored metric: extrahop.device.http_server:tprocess

Firing mode: Edge-triggered

Alert expression: 75th percentile over 10 minutes > 200 percent of trend

Alert History

After you have configured settings for an alert or two, you can check out the Alert History for any generated alerts.

Tip:An Alerts History widget is available on the Overview page of devices and applications, and displays a list of alerts that occurred on that source.

The Alert History contains an entry for each alert generated during the time interval and displays the following information:

Severity
A color-coded indicator of the user-defined severity level of the alert. The severity levels are Emergency, Alert, Critical, Error, Warning, Notice, Info, and Debug.
Alert name
The name of the alert specified in the alert configuration settings.

For anomaly alerts, the alert names includes the anomaly title. You can click the anomaly title to view details on the Anomalies page.

Source
The name of the data source on which the alert conditions occurred. If the alert is associated with a single protocol, click the source name to go to that protocol page of the source. If the alert is associated with multiple protocols, click the source name to go to the Overview page of the source.
Time
The time of the most recent occurrence of the alert conditions.
Alert type
Indicates a trend, threshold or anomaly alert.
Tip:To view additional threshold and trend alert details, such as the alert expression, click Alert History Legacy Layout in the lower left-hand pane, and then click on the alert name.

Alert notifications

You can add notifications to an alert configuration, which enable you to review alerts with high priority severity settings through email or SNMP. When the alert is generated, notifications are emailed to specified addresses or sent to an SNMP listener.

The alert notifications contain information such as the severity level of the alert, the source, the alert conditions, and when the alerts was generated. For more information, see Add a notification to an alert configuration.

Exclusion intervals

You can define a time in which alerts are suppressed through an exclusion interval. When an exclusion interval is assigned to an alert configuration, alerts will be suppressed from the Alert History, email notifications, and SNMP listener.

For example, an exclusion interval enables you to prevent recurring, duplicate alerts in the Alert History about high database activity during hours the database is backed up. For more information, see Create an exclusion interval for alerts.

Configure threshold alert settings

You can configure threshold alert settings that monitor when a specific metric crosses a defined boundary. When the conditions configured in the alert settings are met, the ExtraHop system generates a threshold alert, which you can view in the Alert History.

Threshold alerts are useful for monitoring occurrences such as SLA-violations or error rates that surpass a comfortable percentage. For example, you can configure threshold alert settings that generate alerts when an HTTP 500 status code is observed more than 100 times during a ten minute period.

Before configuring alert settings, determine which metric you want to monitor and the conditions the metric must meet for the ExtraHop system to generate a threshold alert.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Click New to open the Alert Configuration window.
  4. Enter a unique name for the alert configuration in the Name field.
  5. Click Threshold.
  6. From the Detail section, specify the type of metric you want to monitor.
    Top-level
    Specifies the top-level metric, such as an HTTP response or DNS request.
    Detail
    Specifies the detail metric, such as the URI of an HTTP response.
  7. Select the metric you want to monitor.
    1. Click the Select metric icon .
    2. Click the source of the metric, such as an application.
    3. Click the protocol of the metric, such as HTTP, NetFlow, or custom.
      Depending on the source and metric type, some protocols contain secondary groups for client and server metrics.
    4. Locate and click the metric you want to monitor.
      Additional fields appear depending on the metric you select:
      • The Key pattern field enables you to further refine the metric, such as to specify the definition of a custom metric. The key pattern is interpreted as a regular expression and must adhere to Perl-Compatible Regular Expression (PCRE) syntax.
      • The Data point field displayed for top-level metrics enables you to specify a percentile value for the metric.
      • The Data point field displayed for detail metrics enables you to specify a mean value plus a standard number of deviations for a metric.
  8. Optional: To monitor the value of the selected metric divided by a secondary metric, click the Ratio checkbox and select a secondary metric from the field provided.
    For example, divide the number of DNS response errors by the total number of DNS responses to monitor the percentage of errors that exceed a specified threshold.
  9. Select one of the following firing modes:
    Edge-Triggered
    An edge-triggered alert is generated only once when the alert conditions are true. The alert is generated again only if conditions are true after the metric value has returned to normal conditions twice.
    Level-Triggered
    A level-triggered alert is generated continuously while the alert conditions are true for the specified time period.
  10. In the Alert When section, specify the following options that define the alert expression:
    Interval
    Specifies the length of the time interval.
    Operator
    Specifies how to compare the interval to the value.
    Note:The ExtraHop system does not record values of zero for metrics. Instead, the ExtraHop system observes a lack of values. If you specify a value of zero in your alert configuration, the alert never generates. To create an alert configuration with a zero value, select the < (less than) operator and type a value of 1.
    Value
    Specifies the number of metric occurrences to watch for.
    Rate
    Specifies the rate in which metric occurrences happen.

    For example, to issue an alert when the value of the observed metric crosses the threshold more than 10 times per minute in a 30 minute interval, set the following values in the Alert When options:

    Time interval: 30 minutes

    Operator: >

    Value: 10

    Rate: minute

    The Alert When options work with the Firing Mode options to determine how many times an alert should be generated.

  11. Click OK.

Next steps

Configure trend alert settings

You can configure alert settings that monitor when a specific metric deviates from normal trends observed by the system. When the conditions configured by the alert settings are met, the ExtraHop system generates a trend alert, which you can view in the Alert History.

Trend alerts are useful for monitoring metric trends such as unusually high round-trip times or storage servers experiencing abnormally low traffic, which might indicate a failed backup. For example, you can configure trend alert settings that generate alerts when a spike (75th percentile) in HTTP web server processing time lasts longer than 10 minutes, and where the metric value of the processing time is 100% higher than the trend.

Before configuring alert settings, determine which metric you want to monitor and the conditions the metric must meet for the ExtraHop system to generate a trend alert.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Click New to open the Alerts Configuration window.
  4. Enter a unique name for the alert configuration in the Name field.
  5. Click Trend.
  6. Select the metric you want to monitor.
    1. Click the Select metric icon .
    2. Click the source of the metric, such as application.
    3. Click the protocol of the metric, such as HTTP, NetFlow, or custom.
      Depending on the source and metric type, some protocols contain secondary groups for client and server metrics.
    4. Locate and click the metric you want to monitor.
      Depending on the metric you select, the Key pattern field appears, which enables you to further refine the metric, such as to specify the definition of a custom metric. The key pattern is interpreted as a regular expression and must adhere to Perl-Compatible Regular Expression (PCRE) syntax.
    5. Click OK.
    6. If you have selected a dataset or sampleset metric, additional metrics options are available as described in Dataset and sampleset metric options for trend alerts.
  7. Optional: To monitor the value of the selected metric divided by a secondary metric, click the Ratio checkbox and select a secondary metric from the field provided.
    For example, divide the number of DNS response errors by the total number of DNS responses to monitor the percentage of errors that exceed a specified trend threshold.
  8. Select one of the following firing modes:
    Edge-Triggered
    An edge-triggered alert is generated only once when the alert conditions is true. The alert is generated again only if conditions are true after the metric value has returned to normal conditions twice.
    Level-Triggered
    A level-triggered alert is generated continuously while the alert conditions are true for the specified time period.
  9. In the Alert When section, specify the following options that define the alert expression:
    Metric calculation
    Specifies the method by which the metric should be calculated, which are described in Metric calculation options for trend alerts. It is important to note that the alert configuration does not disable incompatible options the way the Metric Explorer does. Be sure to select the median or a percentile calculation when adding a dataset metric or you might issue unintended alerts.
    Interval
    Specifies the length of the time interval.
    Operator
    Specifies how to compare the interval to the value.
    Note:The ExtraHop system does not record values of zero for metrics. Instead, the ExtraHop system observes a lack of values. If you specify a value of zero in your alert configuration, the alert will never be generated. To create an alert configuration with a zero value, select the < (less than) operator and type a value of 1.
    Value
    Specifies the trend value that will issue an alert. The observed metric is compared to a specified trend value.

    For example, if measured in percentages, a trend value of 100 means that the alert is generated when the observed metric matches the trend. A trend value of 150 means that the alert is generated when the observed metric is 50% above the trend. Likewise, enter a value of 50 for 50% below trend.

    Measure
    Specifies the unit by which the value is measured.

    For example, to issue an alert when the standard deviation of the observed metric over a 60 minute interval is equal to a trend value of 25%, set the following Alert When values:

    Metric calculation: std. deviation

    Interval: 60 minutes

    Operator: ==

    Value: 125

    Measure: percent of trend

    Alert When options work with the Firing Mode options to determine how many times an alert should be generated.

  10. Click the Trend Settings tab and configure trend-specific settings for the alert.
    1. In the Window field, select the calculation window for the trend from the options described in Window options for trend alerts.
    2. In the Lookback field, specify the number of minutes of lookback, which refers to how far back you can look up historical data.
    3. In the Weighting Model section, select and configure the model you want from the options described in Weighting model options for trend alerts.
  11. Click OK.

Next steps

Dataset and sampleset metric options for trend alerts

This section describes the additional options available for trend alert configurations that monitor dataset and sampleset metrics.

Option Description
Merge Merges all the datasets and applies the trending function to one superset of data.

For example, a 30-second aggregation roll up, or metric cycle, contains a single dataset for each 30-second interval. Therefore, a 30-minute interval has 60 datasets.

You can generate a trendline from these datasets with one of the following methods:

  • Determine the mean, median, or nth percentile of each dataset, and perform a trend calculation on this value. For example, you might want to determine the moving average (trend function) of the 95th percentile of processing time.
  • Merge all of the datasets together into one large dataset and perform a trend calculation on this value. For example, you might want to merge the datasets, then calculate the trimean (trend function) of the combined dataset.
Mean Calculates the mean of each dataset.
Percentile Calculates a percentile of each dataset as specified in the Percentile Value field.
Standard Deviation Calculates the normal deviation compared to the current trend alert through the same standard deviation parameters as the trend. The parameters can be absolute or relative, as specified in the Normalization field.
Absolute
Displays the standard deviation as a constant.
Relative to Mean
Displays the standard deviation relative to the mean.
Note:If not calculated as standard deviation, the selected dataset metric is calculated as an absolute sample.

Metric calculation options for trend alerts

This section describes the metric calculation options available when configuring the alert conditions for trend alerts.

Option Description
mean Specifies the mean value of the metric. Only select this option for sampleset metrics, such as server processing time (tprocess) by server.
median Specifies the 50th percentile value of the metric. Only select this option for sampleset metrics, such as server processing time (tprocess) or round trip time (rtt).
25th percentile Specifies the 25th percentile value of the metric. Only select this option for sampleset metrics, such as server processing time (tprocess) or round trip time (rtt).
75th percentile Specifies the 75th percentile value of the metric. Only select this option for sampleset metrics, such as server processing time (tprocess) or round trip time (rtt).
count (total) Specifies the count or total of the metric values as an absolute value.
std. deviation Calculates the normal deviation compared to the current metric. Only select this option for sampleset metrics, such as server processing time (tprocess) by server.
ANY Generates the alert when any of the specified conditions are present.
ALL Generates the alert when all of the specified conditions are present.
NONE Generates the alert when none of the specified conditions are present.

Window options for trend alerts

This section describes the Window field options available on the Trend Settings tab that you configure when configuring a trend alert.

Option Description
Same Hour of Week Calculates the trend within a specified 1-hour window each week.
Same Hour of Day Calculates the trend within a specified 1-hour window each day.
Minute Rolling Average Calculates the trend based on the average of the data gathered each minute within a specified amount of time from the present time.
Hour Rolling Average Calculates the trend based on the average of the data gathered each hour within a specified amount of time from the present time.

Weighting model options for trend alerts

This section describes the weighting model options are available when configuring trend alerts.

Option Description
Mean Specifies the manner in which to calculate the average.
Linear Average
Calculates the average with all data points weighted equally.
Single Exponential
Calculates the average with the most recent data points weighted more heavily.
Double Exponential
Calculates the average with the most recent data points weighted the most heavily.

For linear averages, the most recent value is weighted at 1 times the oldest value by default. For single and double exponential means, enter a number to weight the most recent value.

Percentile Specifies the percentile value to be referenced as a basis for creating the trend.
Percentile
Calculates the trend with data points from a user-specified percentile.
Min Value
Calculates the lowest data point gathered during the time interval.
Max Value
Calculates the highest data point gathered during the time interval.
Regression Specifies monitoring for increasing trends.
Linear
Calculates steadily increasing trends based on previous trends that are equally incremental.
2nd Degree Polynomial
Calculates exponentially accelerating trends by projecting a curve with the following equation:
y = ax2 + bx + c
Standard Deviation Calculates the normal deviation compared to the current trend.
Type
Applies a sample-based or population-based standard deviation.
Normalization
Displays the standard deviation relative to the mean.
Note:If a trend is a standard deviation, the same parameters as the trend are applied to alert configurations associated with that trend. If the trend is not a standard deviation, then the alert is calculated as "sample" and "absolute".
Static Value Calculates based on the specified static value. This option is useful to plot constant lines for SLAs.
Time Delta Applies the oldest trend to calculate a time range based on the lookback window.
Trimean Calculates the weighted average of the 25th, 50th, and 75th percentile values.
Winsorized Mean Replaces the most outlying values with the highest and lowest remaining values. Values above the 90th percentile become the same value as the 90th and values below the 10th percentile become the same value as 10th.

Assign an alert configuration to a source

Although you configure alert settings from the System Settings window, you assign an alert configuration to a source from the Metrics page in the ExtraHop Web UI. You must assign an alert to a source before it can monitor your environment.

Before you begin

You must configure an alert before it can be assigned. See Configure threshold alert settings, Configure trend alert settings, or Configure Addy anomaly alert settings.
For threshold and trend alerts, you can only assign the alert configuration to the same source type as the monitored metric.

For anomaly alerts, you can only assign the alert configuration to the same source type you selected in the alert settings.

The following procedure shows you how to assign an alert configuration to a device, which is similar for assigning alert configurations to applications and device groups.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click Metrics from the top menu.
  3. Click Devices in the left pane.
  4. Select the checkbox for each device you want monitored by the alert configuration.
  5. Click the Assign Alert icon from the top of the page.
  6. Select the checkbox for each alert configuration you want to assign to the selected devices.
  7. Click Assign Alerts.
The alert configuration monitors the selected devices for the alert conditions specified in the alert settings.
Tip:You can also manage alert assignments for a device, device group, or application from the Overview page for that source. From the Manage... section, click Assignments or Alerts to add or remove alert assignments from the source and to view which alerts are already assigned to the source.

Next steps

Add a notification to an alert configuration

You can add notifications to an alert configuration that will email specified addresses when an alert is generated. You can also send notifications to an SNMP listener.

Before you begin

You must configure an alert before you add notifications. See Configure threshold alert settings, Configure trend alert settings, or Configure Addy anomaly alert settings.
  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Open the alert you want, and then click the Notifications tab.
  4. From the Severity list, specify one of the following severity levels for the generated alert:
    • Emergency
    • Alert
    • Critical
    • Error
    • Warning
    • Notice
    • Info
    • Debug
    You can specify the severity level for the alert without adding notifications. Although the severity level is displayed in emails, the level also appears in the Alert History.
  5. Select Send SNMP trap to specify whether notifications are sent to an SNMP listener.
    Users with administration privileges can configure the SNMP listener in the ExtraHop Admin UI.
  6. In the Email notification groups section, select the email groups that can receive notifications when an alert is generated.
    The Default group is selected by default. Users with full system privileges can configure additional email groups in the ExtraHop Admin UI.
  7. Optional: In the Additional email addresses section, specify any email addresses that are not included in a selected group, but should receive notifications when an alert is generated.
  8. Optional: In the Additional metrics in emails section, enter any additional metrics you want to include in the notification email.
    Enter the metric names, one per line, into the window or click the Find metric... button to search for a metric.
  9. Click OK.

Create an exclusion interval for alerts

Exclusion intervals define a time in which alerts are suppressed. For example, if you do not want to be notified about alerts after hours or on the weekends, create an exclusion interval that specifies the time period to suppress alerts. After you create the exclusion interval, you can assign it to one or more alert configurations.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Click the Exclusion Intervals tab, and then click New.
  4. Enter a unique name for the exclusion interval in the Name field.
  5. Optional: In the Assign to All section, you can assign the exclusion interval to all alert configurations or only to trend alert configurations.
    • To assign the exclusion interval to all existing and future alert configurations, click Alerts .
    • To assign the exclusion interval to all existing and future trend alert configurations, click Trend.
  6. From the Exclude section, specify one of the following time frame options for the exclusion interval:
    • To set a one-time exclusion interval, select From.
    • To set a daily exclusion interval, select Every day.
    • To set a weekly exclusion interval, select Every week from.
  7. Click OK.

Assign an exclusion interval to an alert

Assign one or more exclusion intervals to an alert configuration to suppress generation of alerts during a specified time frame.

Before you begin

You must configure an alert before you assign an exclusion interval. See Configure threshold alert settings, Configure trend alert settings, or Configure Addy anomaly alert settings.
  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Click the alert configuration you want to open in the Alert Configuration window.
  4. Click the Exclusion Intervals tab.
  5. Select the checkbox next to each exclusion interval you want to assign to the alert.
  6. Click OK.

View the exclusion interval history

The exclusion interval history displays the last 100 changes made to exclusion interval configurations.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Alerts.
  3. Click the Exclusion Intervals tab, and then click the History tab.
    The tab displays the following information:
    Change
    Displays the change that was made to the exclusion interval.
    Author
    Displays the author of the change.
    Timestamp
    Displays when the change was made.
  4. Click OK to close the window.

Geomaps concepts

A geomap is a visual representation of worldwide activity based on a single count metric. The ExtraHop system determines the originating IP address of each metric event and plots it to a regional data point on the geomap.

View regional details

A metric tracked on a geomap displays a data point for each location from where metric data originates, and you can click the data point to display regional details.

For example, assign an SSH session metric to a geomap to find out if SSH attempts are coming from unauthorized locations. Click on a data point to show the IP addresses that sent the requests.

Click a data point to view the following regional activity details:

Summary
Displays the following information about user activity in the region:
  • The total number of IP addresses on which a response or a request has been made.
  • The number of unique IP addresses out of the total number of addresses.
  • The mean, or average, number of IP addresses per unique IP address.
Top locales
Displays the top two locales that generate the most activity in the region. Locales are cities that are geographically close together and can be summarized in one region. For example, the window might display Mountain View, California and Oakland, California as the top locales for a region.
Top users
Displays the top six users that have generated the most activity in the region. Each user is identified by IP address, and the number of responses or requests generated by each IP address is displayed.

View alert details

A metric tracked on a geomap might be associated with one or more alerts. If the metric activity meets alert conditions, the appearance of the data point indicates the severity level.

Alert severity levels are represented by the following colors on the geomap:

Gray
Indicates that no user-defined alerts are configured, or only edge-triggered alerts are configured.
Green
Indicates that no user-defined alerts are configured, or that an alert with a severity level of Debug and Informational was generated.
Orange
Indicates that at least one alert with a severity level of Notice or Warning was generated.
Red with spinning edges
Indicates that at least one alert with a severity level of Error or Critical was generated.
Red with sonar beacons
Indicates that at least one alert with a severity level of Emergency or Alert was generated.

For example, if an alert is configured to watch HTTP responses on a group of web servers so that any time the ratio of errors exceeds 5%, a critical-level notification is sent. If your geomap tracks HTTP responses on the same web servers, data points display as red with spinning edges in each region the alert condition is met.

The Firing Mode setting of an alert affects the data points on the geomap. For example, edge-triggered alerts are prompted only when the alert threshold is crossed, so the data point is red when the issue first occurs, but not continuously. Level-triggered alerts are generated continuously while the alert conditions are true, and the data point reflects the continuous state.

We recommend that you configure level-triggered alerts at the same interval (or more frequently) as the time interval that you are displaying in the geomap.

Click a data point to view the following alert details:

  • The IP addresses that have been generated an alert.
  • The alert severity level associated with each IP address.
  • The name of the alert associated with each IP address.

See Alerts for more information about configuring alerts and alert severity levels.

Each geomap displays the following information and controls:

Display controls
Settings that determine the look of the geomap and the time range of the data displayed.
Activity graphs
Graphs that display user activity in smaller data sets.
Autopilot
A feature that automatically navigates between the top eight regions with the most user activity.
Updater
A timer that counts down to the next refresh of the data on the geomap.

Check out the following guides and resources that are designed to familiarize new users with our top features.

Generate a geomap

The ExtraHop system makes it easy for you to generate a geomap on-the-fly from a metric detail page. The ExtraHop system determines the originating IP address of each metric event and plots it to a regional data point on the geomap.

You can only generate geomaps for count metrics that can be broken down by an IP address.

To learn about how geomaps work and what information is provided, see Geomaps concepts.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Go to the device, application, or dashboard that displays the count metric you want to track.
    • To go to a device page, click Metrics, click Devices or Device Groups from the left pane, and then click the device you want.
    • To go to an application page, click Metrics, click Applications from the left pane, and then click the application you want.
    • To go to a dashboard, click Dashboards, and then click the dashboard you want.
    Note:If there is no dashboard or source page that displays the count metric you want, create a chart and add it to a dashboard.
  3. Click the label of the count metric to open a context menu, and then select the key for the detail metric you want from the Drill down by list.
    Depending on the metric, the available keys might be client, server, or IP.
    The detail page for the source of the metric appears.
  4. Click the View Geomap button.
    The geomap opens in full-screen on a new browser tab.
    Tip:You can save or bookmark the geomap URL to quickly return to it.

Packets concepts

Before you begin

You must have a configured ExtraHop Trace appliance before you can store and query for packets. See our deployment guides to get started.

With an ExtraHop Trace appliance connected to a Discover appliance, you can search for and download packets for selected transactions through the Packets feature in the ExtraHop Web UI. The downloaded packets can then be analyzed through a third-party tool, such as Wireshark.

You can launch a quick packet query for the current time interval by clicking Packets from the top menu. The ExtraHop system queries packets for the selected time interval, such as the last 30 minutes, and displays the Packet Query page. If you change the time interval, the query starts again. Either end of the gray bar displays a timestamp, which is determined by the current time interval. The time on the right displays the starting point of the query and the time on the left displays the endpoint of the query. The blue bar indicates the time range during which the system found packets. You can drag to zoom on a period of time in the blue bar to run a query again for that selected time interval.

The following figure provides an overview of the Packet Query page and features:

However, there are multiple locations in the ExtraHop Web UI from which you can initiate a packet query:
  • Type an IP address in the global search field and then select the Search Packets icon .

  • Click Packets from the upper right corner of a device page.

  • Click the Packets icon next to any record on a record query results page. (Only available with a connected Explore appliance.)

  • Click on an IP address or hostname in any chart with metrics for network bytes or packets by IP address to see a context menu. Then, select the Packets icon to query for the device and time interval.

Configure global packet capture

When you enable the global packet capture feature on the Discover appliance, you start collecting packets for every flow to an SSD installed on your Discover appliance or, in the case of a virtual machine, to a regular disk drive.

Before you begin

Make sure you are licensed for the packet capture feature and that you have added the packet capture disk (an SSD on a physical appliance or an additional drive on a virtual machine). Note that the Packet Captures section in the Admin UI does not appear if your Discover appliance is not licensed for the feature. For information about adding an SSD drive, see Install an SSD for Packet Capture on the ExtraHop Discover Appliance.

For Discover virtual appliances, refer to your hypervisor manual for configuring an additional 500 GB disk.

  1. Log into the Admin UI on the Discover appliance.
  2. In the Packet Captures section, click Global Packet Capture.
  3. In the Start Global Packet Capture section, type the following information:

    Name: The name for the capture.

    Max Packets: The maximum number of packets to capture. This value cannot be a negative number.

    Max Bytes: The maximum number of bytes to captures. This value cannot be a negative number.

    Max Duration (milliseconds): The maximum duration that the global capture should run. If this value is set to 0, this field is ignored and the duration runs for an unlimited time.

    Snaplen: The maximum number of bytes copied per frame. By default, this value is 96 bytes, but you can set this value to a number between 0 and 65536.

  4. Click Start.
  5. Click Stop to stop the packet capture before any of the maximum limits are reached.
Download your packet capture from the View Packet Captures page and open the file in a packet analyzer such as Wireshark.

Records concepts

Before you begin

You must have a configured ExtraHop Explore appliance and connect it to your Discover appliance before you can store and query for packets. See our deployment guides to get started.

Records are structured information about transaction, message, and network flows that are generated and sent from a Discover appliance to an Explore appliance for storage and retrieval. After your records are stored, you can query for them from the Discover or Command appliances.

With the Discover appliance, you start with a high-level view of your Discover appliance data, and then drill down to view your device data. With records stored on an Explore appliance, you can drill down to individual transactions from those devices, or you can query for outlying transactions, such as overly-long processing times or unusual response sizes.

For example, if you had fifty HTTP 503 errors, you could view details about those errors by querying the records stored on the Explore appliance. The records would contain specific information about each individual HTTP transaction, which might reveal the underlying problem.

There are two basic types of records: flow and L7. Flow records show network-layer communication between two devices over an (L3) IP protocol. L7 records show details from individual messages or transactions over L7 protocols. There are three types of supported L7 protocols: transactional (such as HTTP, CIFS, and NFS), message-based (such as ActiveMQ, DNS, and DHCP), and session-based (such as SSL and ICA).

Important:Most user privileges let you query for records, but collecting and storing records requires full write privileges and familiarity with writing triggers.

Here are a few definitions you should know about records in the ExtraHop Web UI:

Records: An object that contains fields, where each field is a name and a value pair. The value can be a string, number, boolean, array, or nested object.

Record types: An ID that determines what data is collected and stored on your Explore appliance. Because you must write a trigger to collect records, you need a way to identify the type of data you will collect. There are built-in record types, which collect all of the available known fields for a protocol. You can start with a built-in record type (such as HTTP) and write a trigger to collect only the fields for that protocol that matter to you (such as URI and status code). Or, advanced users can create a custom record type if they need to collect proprietary information that is not available through a built-in record type.

Record formats: A schema that lets you display stored records in a formatted table (or table view) when you run a record query. The Discover appliance has record formats for each built-in record type. However, if you create a custom record type, but do not create a corresponding record format, you will only be able to view your fields in a text verbose view.

Collecting and storing built-in records

Any system protocol can be committed (collected and stored) as a record through a global trigger function. The basic trigger syntax is <protocol>.commitRecord().

HTTP.commitRecord() commits all detected HTTP traffic for the devices to which the trigger is assigned. The following figure shows the completed Trigger Configuration window.

For each built-in record type (such as HTTP), there is a corresponding built-in record format. Record formats control how records of a certain type are displayed in the ExtraHop Web UI, such as the display name of each field, the preferred order of fields, and which fields are visible by default. A record format is needed to show fields in the table view. Without a record format, all the fields in a record can still be viewed in verbose view, which displays all fields in plain text. (Modifying record formats for custom record types is an advanced feature.)

The following figure shows record results for all HTTP transactions.

Check out the following guides and resources that are designed to familiarize new users with our top features.

Collect flow records to store on your Explore appliance

You can automatically collect all flow records, which are network-layer communications between two devices over an IP protocol. If you enable this feature, but do not add any IP addresses or port ranges, all detected flow records are captured.

Before you begin

Configuring flow records for automatic collection is fairly straight-forward and can be a good way to test that your appliances are connected.
  1. Log into the Admin UI on your Discover appliance.
  2. In the ExtraHop Explore Settings section, click Automatic Flow Records.
  3. Select the Enabled checkbox.
  4. In the Publish Interval field, type a number between 60 and 21600. This value determines how often records from an active flow are sent to the Explore appliance. The default value is 1800 seconds.
  5. In the IP Address field, type a single IP address or IP address range in IPv4, IPv6, or CIDR format. Then, click the green plus (+) icon. (You can remove an entry by clicking the red delete (X) icon.)
  6. In the Port Ranges field, type a single port or port range. Then, click the green plus (+) icon.
  7. Click Save.
    Flow records that meet your criteria are now automatically sent to your connected Explore appliance. Wait a few minutes for records to be collected, and then verify that flow records are being collected in the next step.
  8. Click Records from the top navigation to launch a query. If you do not see any records, wait a few minutes and try again. If no records appear after five minutes, review your configuration or contact ExtraHop Support.

Collect L7 records to store on your Explore appliance

You can collect L7 records to store on your Explore appliance, which show details from individual messages or transactions over L7 protocols. These types of records require triggers.

Before you begin

In the following example, you will learn how to collect records for any device that sends or receives an HTTP response. First, we will write a trigger to collect information from the built-in HTTP record type. Then, we will assign the trigger to a web server. Finally, we will verify that the records are being sent to the Explore appliance.
  1. Log into the Web UI on your Discover appliance.
  2. Click the System Settings icon , and then click Triggers.
  3. Click New to launch the Trigger Configuration window.
  4. In the Configuration tab, complete your information, similar to the following example:

    Name: HTTP Responses

    Author: ExtraHop

    Description: This trigger collects HTTP responses.

    Debugging: Select the checkbox to enable debugging.

    Events: HTTP_RESPONSE

  5. Click the Editor tab.
  6. Type the following example code in the text box:
    HTTP.commitRecord()
    debug (“committing HTTP responses”)

    This code generates records for the HTTP record type when the HTTP_RESPONSE event occurs and corresponds to the built-in record format for HTTP.

  7. Click Save and Close. Next, assign this trigger to a web server.
  8. Click Metrics from the top menu and then click Devices in the left pane.
  9. Search for an active web server that you want to collect records for. For this example, we will select a web server called web-sea-example.
  10. Select the checkbox next to the web server (such as web-sea-example).
  11. Click Assign Trigger from the menu above the table.
  12. From the list, select the checkbox next to the trigger we previously created named HTTP Responses, and then click Assign Triggers.
    Records that meet your criteria are now sent to your connected Explore appliance. Wait a few minutes for records to be collected, and then verify that your records are being collected in the next step.
  13. Click Records from the top menu to launch a query. If you do not see any HTTP records, wait a few minutes and try again. If no records appear after five minutes, review your configuration or contact ExtraHop Support.

Collect custom records to store on your Explore appliance

You can customize the type of record details you generate and store on your Explore appliance by writing a trigger. Optionally, create a record format to control how the records display in the ExtraHop Web UI.

Before you begin

In the following example, you will learn how to only store records for HTTP transactions that results in a 404 status code. First, we will write a trigger to collect information from the built-in HTTP record type. Then, we will assign the trigger to a web server. Finally, we will create a record format to display selected record fields in the table view for our record query results.

Write and assign a trigger

Note that the trigger must be created on each Discover appliance that you want to collect these types of records from.

  1. Log into the Web UI on the Discover appliance.
  2. Click the System Settings icon , and then click Triggers.
  3. Click New to launch the Trigger Configuration window.
  4. In the Configuration tab, complete your information, similar to the following example:

    Name: HTTP 404 Errors

    Author: ExtraHop

    Description: Track 404 errors on primary web server.

    Debugging: Select the checkbox to enable debugging.

    Events: HTTP_RESPONSE

  5. Click the Editor tab to write the trigger specifications.
    The following figure shows an example configuration that only collects records when a 404 status code is detected. We also set a name (web404) for these types of records to identify them in a record query and added identifying information for debugging.

    In the next steps, assign the trigger to a device or device group for which you want to monitor 404 status codes.
  6. Click Metrics from the top menu.
  7. Click Devices.
  8. Select the checkbox for a device from the list. For our example, we will select a web server called web2-sea.
  9. Click the Assign Triggers icon, select the trigger you created in the previous steps, and then click Assign Triggers. In the following figure, we have selected our web server, web2-sea.
    After assigning the trigger, return to the System Settings > Trigger page and select the trigger you created. First, make sure your device has activity. Then, click the Runtime Log tab to see if the trigger is committing your records. For the following example, we intentionally visited unavailable web pages to generate 404 errors.

Query for your custom record type
  1. Click Records from the top menu.
  2. In the left pane, click the Record Type drop- down. Your newly created record type should appear in italics at the top of the list.
  3. Select the record type and then click out of the menu. For our example, we will select web404, as displayed in the figure below.
  4. Click the Verbose View icon.
  5. Click Fields and then click Select All.
    All of the information collected from the trigger about these records is shown in the query results.

Create a custom record format to display your record results in a table

Record formats are an optional way to display your records with only the fields you want to see. The quickest way to create a custom record format is to copy and paste the schema on read from a built-in record format into a new record format. If you have multiple Discover appliances, you need to create the custom record format on each appliance where the record results are viewed.

  1. Log into the ExtraHop Web UI on the Discover appliance.
  2. Click the System Settings icon and then click Record Formats.
  3. Click on the type of record you want to copy. For our example, we will copy the HTTP record format.
  4. Copy the contents in the text box below Schema on Read.
  5. Click New Record Format.
  6. Complete the following fields:

    Display Name: Type a unique name for your record format.

    Author: Identify the author for the record format.

    Record Type: Type the same record type ID you created in the trigger. In our example, this value is web404.

    Schema on Read: Paste the copied contents from step 4 into the text box. Edit the box to delete any unwanted fields. For our example in the figure below, we only kept the following fields: Client, Server, Method, Status Code, URI, and Processing Time.

Query for your custom record type
  1. Click Records from the top menu.
  2. In the left pane, click the Record Type drop- down. Your newly created record type should appear in italics at the top of the list.
  3. Select the record type and then click out of the menu. For our example, we will select web404, as displayed in the figure below.
  4. Click the Verbose View icon.
  5. Click Fields and then click Select All.
    All of the information collected from the trigger about these records is shown in the query results.

Record format settings

The Record Format Settings page displays a list of all built-in and custom record formats that are available on your local ExtraHop Discover or Command appliance. If you need to create a custom record format, we recommend that you begin by copy and paste the schema on read information from a built-in record format. Advanced users might want to create a custom record format with their own field-value pairs, and should apply the reference material provided in this section.

Record formats consist of the following settings:
Display Name
The name displayed for the record format in the Web UI. If there is no record format for the record, the record type is displayed.
Author
(Optional) The author of the record format. All built-in record formats display ExtraHop as the author.
Record Type
A unique alphanumeric name that identifies the type of information contained in the associated record format. The record type links the record format with the records that are sent to the Explore appliance. Built-in record formats have a record type that begins with a tilde (~). Custom record formats cannot have a record type that begins with a tilde (~).
Schema on Read
A JSON-formatted array with at least one object, which consists of a field name and value pair. Each object describes a field in the record and each object must have a unique combination of name and data type for that record format. You can create the following objects for a custom record format:
name
The name of the field.
display_name
The display name for the field. If the display_name field is empty, the name field is displayed.
description
(Optional) Descriptive information about the record format. This field is limited to the Record Format Settings page and is not displayed in any record query.
default_visible
(Optional) If set to true, this field displays in the Web UI as a column heading by default in table view.
facet
(Optional) If set to true, facets for this field display in the Web UI. Facets are a short list of the most common values for the field that can be clicked to add a filter.
data_type
The abbreviation that identifies the type of data stored in this field. The following data types are supported:
Data Type Abbreviation Description
application app ExtraHop application ID (string)
boolean b Boolean value
device dev ExtraHop device ID (string)
IPv4 addr4 An IPv4 address in dotted-quad format. Greater or less than filters are supported.
IPv6 addr6 An IPv6 address. Only string-oriented filters are supported.
number n Number (integer or floating point)
string s Generic string
meta_type
The sub-classification of the data type that further determines how the information is displayed in the Web UI. The following meta-types are supported for each of the associated data types:
Data Type Meta Type
String
  • user
Number
  • bytes
  • count
  • expiration
  • milliseconds
  • packets
  • timestamp

Query for stored records on an Explore appliance from a Discover or Command appliance

After you connect your Explore appliance to your Discover and Command appliances, and records are sent to the Explore appliance, you can query for those stored records from either the Discover or Command appliance. In addition, you can save record queries to run at a later time.

You can query records that are stored in the Explore appliance from multiple areas in the ExtraHop Web UI. The following figure shows the main records page, that you access by clicking Records from the top menu.



  • Click Records from the top menu to start a new record query for all records stored on the Explore appliance.
  • From the records page, click Record Queries in the navigation bar or Saved Record Queries in the left pane to access any saved queries or start a new query.
  • Type a search term in the global search field at the top of the screen and click Search Records to start a query across all stored records.
  • Click the Records icon from the panel of Action icons on an application or device protocol page that has built-in record formats. This option queries for records that match the selected metric source and protocol.
  • Click the Records icon in the left-hand column from any drill-down metrics page. This option queries for records that match the selected metric source, protocol, and detailed stat value.

  • Click the Records icon from a chart widget or on a metric drill-down page.

No matter where you start your query from, you might have a large set of records results. You can narrow down your results by applying filters to find the specific record you need.

Next steps

Filter your records with a simple query

There are a number of ways you can filter your record query results to find the exact transaction you are looking for. The sections below describe each method and show examples you can start with to familiarize yourself.

If you are trying to filter records by simple criteria (say, if you want all HTTP transactions from a single server that generated 404s), you can create a simple query. For simple queries, start by clicking Records from the top menu to get to the main Records page, and then add a filter in one of the following ways:

  • Add a filter or refine results from the left pane
  • Add a filter from the trifield
  • Add a filter directly from record results
Filter record results from the left pane

When you click Records from the top menu, all of the available records for your selected time interval appear. You can then filter from the left pane to refine your results.



The Record Type drop-down menu displays a list of all of the record types that your Discover or Command appliance is configured to collect and store.

The Group By drop-down gives you a list of fields to further filter the record type by.

The Refine Results section shows you a list of record types that are currently on the Explore appliance with the current number of records in parenthesis.

Filter record results through the trifield

When you click Records from the top-level navigation, all of the available records for your selected time interval appear. A set of three filters (or the trifield) is available below the chart.

Select a field from the Any Field drop-down (such as Server), select an operator (such as the equal sign (=)), and then type a hostname. Click Add filter, and the filter is added above the filter bar.





Your results only show records that match the filter; in our example this means we only see results for transactions that are for the server named web2-nyc.

Filter directly from record results

You can select any field entry displayed in either table view or verbose view in your record results and then click the pop-up operator to add the filter. Filters are displayed below the chart summary (except for the record type field, which is changed in the left pane).



Filter your records with advanced query rules

For advanced queries, you can create and modify complex filters by clicking the Add Advance Filter button or by clicking the pencil icon next to any filter that you have added.



Here are some important things to know about advanced queries:
  • You can specify multiple criteria with OR (Match Any), AND (Match All), and NONE operators
  • You can group filters and nest them to four levels within each group
  • You can edit a filter group after you create it
  • You can create a descriptive name to identify the general purpose of the query

Create a complex filter with AND and OR operators

The following example shows how you can create an advanced query to filter your records with complex criteria. We will create a filter to return results for all HTTP records that include two URIs plus a status code greater than or equal to 400 or a processing time greater than 750 milliseconds.

Important:To try this example on your own Discover appliance, you must have HTTP traffic on your network.
  1. Click Records from the top menu.
  2. In the left pane, select HTTP from the Refine Results section. Only available records are displayed in the Refine Results section. This step ensures that you have available records for this query.
    Note:Record types do not appear as filters; they are displayed in the left pane.
  3. Click the Add Advanced Filter button . The button is on the right side of the page, above the records search results.
  4. Select URI, the equal sign (=), and then enter a URI for one of your web servers. We will add assets.example.com.
  5. Click Add Filter to add a second URI for another web server.
  6. Select URI, the equal sign (=), and then enter another URI. We will add media.example.com.
  7. Under Filter Definition, change Match Any to Match All. Match Any is an AND operator and will let us search for criteria that matches both of these URIs.
    In the next steps, we will add a group of criteria that applies specifically to the URIs we added.
  8. Click Add Group.
    1. Click the Any Field drop-down and select Status Code.
    2. Select the greater than or equal to () symbol.
    3. Type 400 in the number field.
  9. Click Add Filter inside the white box to add another filter to the group.
    1. Click the Any Field drop-down and select Processing Time.
    2. Select the greater than (>) symbol.
    3. Type 750 in the number field.
  10. In the Custom Display Name field, type a descriptive name to make the filter easy to identify on the results page, otherwise the display name shows the first filter and the number of other applied rules:


    We will type “Slow and Broken Web Assets” in the field.

  11. Click Save.
After you click Save, the query automatically runs, and returns records that match either URI and that have either a status code equal to or greater than 400 or a processing time that is greater than 750 milliseconds.

Next steps

You can click Save Query as... from the top right of the page to save your criteria for another time.

Bundles concepts

Bundles are a saved set of system configurations that can be uploaded to an ExtraHop appliance. You can download a number of bundles from the ExtraHop Solution Bundle Gallery or create your own. Bundles from the gallery are designed to help you configure your ExtraHop appliances to address specific use cases; for example, the Ransomware Bundle configures your ExtraHop appliance to detect and track ransomware activity.

The following system customizations can be saved as part of a bundle:

  • Alerts
  • Applications
  • Custom pages
  • Dashboards
  • Dynamic groups
  • Flex grids
  • Geomaps
  • Triggers

Check out the following guides and resources that are designed to familiarize new users with our top features.

Install a bundle

You can install a bundle from the ExtraHop Solution Bundle Gallery or you can install a bundle that you created on another ExtraHop appliance. To install a bundle, you must first download the bundle, upload the bundle to your ExtraHop appliance, and then apply the bundle.

Download a bundle from the ExtraHop website

You can download a number of pre-configured bundles created by the ExtraHop community.

  1. In a web browser, go to the ExtraHop Solution Bundles Gallery.
  2. Navigate to the bundle you want to download.
  3. Read all requirements and installation instructions for the bundle.
    Make sure that your ExtraHop appliance is running firmware later than the minimum version specified for the bundle. Bundles designed for later firmware versions might require features that are not available on earlier firmware.
  4. If you have not already logged into the ExtraHop website, click Login in the right pane and then specify a valid username and password.
  5. Click Download Now.
  6. Save the .json file to a location on your local machine.

Download a bundle from an ExtraHop appliance

  1. Log into the Web UI on the Discover or Command appliance.
  2. Click the System Settings icon and then click Bundles.
  3. In the Bundles table, click the name of the bundle.
  4. Click Download.
    The .json bundle file is downloaded to your local machine.

Upload and apply a bundle

After you have downloaded a bundle, you can upload and install the bundle on your appliance.

  1. Log into the Web UI of a Discover or Command appliance.
  2. Click the System Settings icon .
  3. Click Bundles.
  4. Click Upload.
  5. In the Load Bundle dialog box, click the Choose File button, and then select the bundle .json file.
  6. Click Upload.
  7. Select the Apply included assignments checkbox.
    Selecting this option assigns the bundle to the metric sources specified in the bundle. In most cases, it is best to apply the default assignments. However, keep in mind that more assignments will consume more system resources.
  8. From the Existing objects drop-down menu, select Overwrite.
    Selecting this option will overwrite any objects that have the same name as objects in the bundle. It is important to select overwrite to ensure that all bundle objects are imported and the bundle functions properly. However, we recommend that you check the names of objects in the bundle to make sure they are not shared with any objects in-use on your appliance.
  9. Click Apply.
  10. In the Bundle Import Status dialog box, click OK.
  11. In the View Bundle window, click OK.

Next steps

  • Follow any installation instructions on the bundle page in the ExtraHop Solution Bundles Gallery.
  • Enable any triggers included in the bundle.
  • Configure any alerts in the bundle to notify relevant email addresses.

Create a bundle

You can save system configurations to a bundle file and then upload that file to other appliances or share your bundle with the ExtraHop community.

Before you begin

If you are planning to upload your bundle to the ExtraHop Solution Bundle Gallery, we recommend you first read the Bundles Best Practices Guide. The guide describes how to configure your bundle to function properly in other environments.
  1. Log into the Web UI on the Discover or Command appliance.
  2. Click the System Settings icon and then click Bundles.
  3. On the Bundles page, click New.
  4. Complete the following information in the Bundle Settings window:
    Name
    Assign a name to the bundle.
    Author
    Specify the creator of the bundle. This name is applied to the author field of all objects in the bundle. If you do not specify an author, each bundle object retains its author setting.
    Required Version
    Specify the earliest version of ExtraHop firmware that the bundle can run on. We recommend that you specify the version of ExtraHop firmware that is currently running on your appliance. Specifying the current version prevents your bundle from being accidentally installed on an appliance that does not support the bundle.
    Note:If you try to import a bundle that requires a newer firmware version, a warning message displays in the Actions section of the Bundle Settings window. However, this warning does not prevent someone from uploading and applying the bundle.
    Contents
    Select the system configurations that you want to add to the bundle, such as triggers, dashboards, and alerts. Click the arrow to expand the list of available items.
    Description (Optional)
    Type a description about the bundle.
  5. Click OK to save the bundle.
  6. In the Bundles table, click the name of the bundle you created.
  7. Click Download.
    The .json bundle file is downloaded to your local machine.

Post a bundle to the ExtraHop website

After you create a bundle, you can post your bundle to the ExtraHop Solutions Bundle Gallery to share your work with the ExtraHop community.

  1. Download the bundle you want to share from your ExtraHop appliance.
    1. Log into the Web UI of a Discover or Command appliance.
    2. Click the System Settings icon .
    3. Click Bundles.
    4. Click the name of the bundle.
    5. Click Download.
      The bundle downloads as a .json file.
  2. In a web browser, go to the ExtraHop Solution Bundles Gallery.
  3. Click Contribute Now.
  4. Sign in with your extrahop.com username and password.
  5. In the Title field, type the bundle name.
  6. In the Minimum ExtraHop version field, type the earliest version of the ExtraHop firmware that supports all of the features contained in the bundle.
    We recommend that you specify the version of ExtraHop firmware that is currently running on your appliance. Specifying the current version ensures that your bundle will not be accidentally installed on an appliance that does not support the bundle.
  7. In the Select categories field, select an appropriate category.
    You can find descriptions of each bundle category on the bundle gallery page at https://www.extrahop.com/community/bundles/.
  8. In the Description field, type a description for the bundle.
    You can include Markdown syntax to style the Description, Requirements, and Installation instructions sections.
  9. In the Requirements field, type any requirements for the bundle.
    For example, the Ransomware Bundle requires that your data feed be configured to view SMB/CIFS traffic for your network-attached storage.
  10. In the Installation instructions field, type instructions for installing the bundle.
    For example, if your bundle requires the user to configure a trigger in a specific way, include that information in the installation instructions.
  11. Click the Browse button.
  12. Select the .json bundle file that you downloaded from the Discover or Command appliance.
  13. Review how the bundle page will display in the Bundle Details Preview section.
  14. Click Submit Bundle.
Bundles are reviewed by ExtraHop Support before the bundle appears on the ExtraHop website. The amount of time needed to review a bundle varies depending on the complexity and size of the bundle. In general, you can expect to see your bundle on the ExtraHop website within a few business days.

Essentials bundle

In addition to the built-in Activity and Network dashboards, the ExtraHop system also ships with the Essentials bundle. This bundle provides a set of customizations that are designed to readily display common and related network metrics through a series of dashboards.

Although the Essentials bundle is included on ExtraHop appliances by default, you must apply the bundle before you can view the contents of the bundle. Some of the dashboards also require you to enable triggers on the system.

Note:The Essentials bundle is designed to have minimal impact to your system, but you should always exercise caution when enabling a trigger.

Apply the Essentials bundle

  1. Log into the Web UI on the Discover or Command appliance.
  2. Click the System Settings icon and then click Bundles.
  3. From the list of bundles, select Essentials.
  4. Select the checkbox in the lower-right corner of the window to apply included assignments.
  5. From the Existing objects drop-down menu, select Overwrite.
    Selecting this option will overwrite any objects that have the same name as objects in the bundle.
  6. Click Apply, and then click OK.
Tip:To view the Essentials dashboards, click Dashboards. The dashboards are listed in the left pane, under My Dashboards.

Enable triggers for the Essentials bundle

The dashboards for encryption and DNS require you to enable two triggers that ship with the Essentials bundle.

  1. Click the System Settings icon and then click Triggers.
  2. From the list of triggers, select AAAA detection on IPV4 networks and Encryption Auditing Trigger (Application).
  3. Click Enable.
After these triggers are enabled, your network traffic must be processed before the metrics in the dashboards display any data.

System health concepts

You can assess the health and performance of an ExtraHop Discover appliance through system health tools. Monitoring system health data enables you to ensure that your Discover appliance is running as expected, to discover and troubleshoot issues, and to assess areas that need improvement. In addition, the ExtraHop Admin UI provides status information and diagnostic tools for all ExtraHop appliances.

The System Health page provides a large collection of charts with data such as packet throughput, heap allocation, and number of monitored devices. For example, you can monitor the number of packets processed by the ExtraHop system to ensure that packets are continuously captured. If you are sending data to a remote, third-party system through an open data stream (ODS), you can troubleshoot transmission errors to determine whether more memory should be dedicated to open data streams or whether an open data stream trigger requires modification.

Charts on the System Health page are divided into the following sections:

Capture
Displays charts that pertain to the health and performance of the wire data collected by the ExtraHop system.
Remote
Displays charts that pertain to the health and performance of open data stream (ODS) transmissions to a third-party syslog, database, or server.
Datastore
Displays charts that pertain to the health and performance of the ExtraHop datastore.
Trend
Displays charts that monitor performance and usage trends.
SSL certificates
Displays status information for all SSL certificates on the ExtraHop appliance.

Each chart enables you to view how the data changes over specified time intervals. The time interval selected in the Global Time Selector is applied to all charts on the page.

The sparklines on each chart contain data points that display additional details about a single point in time. Hover your mouse over a data point to display the additional details.

View Status and Diagnostics tools in the Admin UI

The Status and Diagnostics section of the ExtraHop Admin UI displays data about the ExtraHop appliance you are logged into and the wire data feed, and provides troubleshooting tools such as audit logs, exception files, and support packs. For example, you might want to monitor CPU statistics to determine whether CPU usage rates are within normal ranges. Or, you might want to consult audit logs to track down an issue.

The Admin UI is displayed by default when you log into an Explore or Trace appliance. To access the Admin UI from a Discover or Command appliance, click the System Settings icon , and then click Administration.

The Status and Diagnostics section includes the following pages:

Health statistics
Provides metrics to view the operating efficiency of the ExtraHop appliance.
Audit log
Enables you to view event logging data and to change syslog settings
Exception files
Enable or disable the creation ExtraHop appliance exception files.
Support packs
Upload and run ExtraHop appliance support packages.

Capture charts

Drops

Displays the percentage of packets dropped at the network card interface, SPAN, or network tap on an ExtraHop Discover appliance.

How this information can help you

Packet drops often result when appliance thresholds are exceeded. Refer to the Datasheets page to discover what the limits are for your ExtraHop Discover appliance. If the percentage of packet drops exceed 2%, contact ExtraHop Support.

External timestamps

Displays the percentage of packets with an external timestamp read by the ExtraHop Discover appliance, based on the total number of packets processed.

How this information can help you

For internal purposes. The data in this chart might be requested by ExtraHop Support to help you diagnose an issue.

Capture heap allocation

Displays the amount of memory, expressed in bytes, that the ExtraHop Discover appliance dedicates to network packet capture.

How this information can help you

The data in this chart is for internal purposes and might be requested by ExtraHop Support to help you diagnose an issue.

Incoming packets breakdown

Displays the rate of incoming packets, expressed in packets per second, on the ExtraHop Discover appliance.

This chart also has the following metrics:

Total
The total number of packets captured in the selected time interval.
Current
The number of packets captured during the most recent second.
Max
The maximum number of packets captured in the selected time interval.

The total, current, and maximum metrics are divided into the following categories:

Analyzed
The packets analyzed by the ExtraHop Discover appliance.
Filtered
The packets not included in network L2 metrics.
L2 duplicates
The identical Ethernet frames counted as duplicate L2 packets.
L3 duplicates
The identical TCP or UDP IPv4 packets counted as duplicate L3 packets.
How this information can help you

Exceeding product thresholds might result in data loss. For example, a high packet rate might result in packets dropped at the span source or at a span aggregator. Similarly, large amounts of L2 or L3 duplicates can also indicate an issue at the span source or span aggregator and might result in skewed or incorrect metrics.

The acceptable rate of packet per second depends on your product. Refer to the Datasheets page to discover what the limits are for your ExtraHop Discover appliance and determine if the rate of packets per second is too high.

Incoming throughput breakdown

Displays the throughput of incoming packets, expressed in bytes per second, on the ExtraHop Discover appliance.

This chart also has the following metrics:

Total
The total number of bytes transferred in the selected time interval.
Current
The number of bytes transferred during the most recent second.
Max
The maximum number of bytes transferred in the selected time interval.

The total, current, and maximum metrics are divided into the following categories:

Analyzed
The throughput analyzed by the ExtraHop Discover appliance.
Filtered
The throughput not included in network L2 metrics.
L2 duplicates
The identical Ethernet frames counted as duplicate L2 throughput.
L3 duplicates
The identical TCP or UDP IPv4 packets counted as duplicate L3 throughput.
How this information can help you

Exceeding product thresholds might result in data loss. For example, a high throughput rate might result in packets dropped at the span source or at a span aggregator. Similarly, large amount of L2 or L3 duplicates can also indicate an issue at the span source or span aggregator and might result in skewed or incorrect metrics.

The acceptable rate of bytes per second depends on your product. Refer to the Datasheets page to discover what the limits are for your ExtraHop Discover appliance and determine if the rate of bytes per second is too high.

Packet capture disk throughput

Displays the rate of bytes captured by the ExtraHop Discover appliance, expressed in bytes per second.

This chart also has the following metrics:

Total
The total number of bytes captured in the selected time interval.
Current
The number of bytes captured during the most recent second.
Max
The maximum number of bytes captured in a single second within the selected time interval.
How this information can help you

Monitor this chart for high amounts of throughput to the capture disk, which can indicate a large number of triggers with packet capture enabled. You might need to reassess the number of triggers or optimize packet capture triggers.

RPCAP packets

Displays the rate of remote packet capture (RPCAP) for all RPCAP peers, expressed in packets per second, on the ExtraHop Discover appliance.

This chart also has the following metrics:

Total
The total number of RPCAP packets captured in the selected time interval.
Current
The number of RPCAP packets captured during the most recent second.
Max
The maximum number of RPCAP packets captured in the selected time interval.

The total, current, and maximum metrics are divided into the following categories:

Encapsulation
The total number of RPCAP-encapsulated packets received by the Discover appliance.
Tunnel Eligible
The total number of RPCAP packets eligible to be forwarded to the Discover appliance.
Tunnel Sent
The total number of RPCAP-tunneled packets forwarded to the Discover appliance.
Tunnel Received
The total number of RPCAP-tunneled packets received by the Discover appliance.

The chart title contains the number of RPCAP peers. You can click the chart to open a second chart that displays the RPCAP packet metrics on a per-peer basis.

The RPCAP chart is only displayed if remote packet capture is enabled on the Discover appliance.

How this information can help you

Consult this chart after the initial setup of RPCAP to ensure that data is captured from every remote device on which RPCAP is deployed.

RPCAP throughput

Displays the rate of RPCAP throughput metrics for all RPCAP peers, expressed in bytes per second, on the ExtraHop Discover appliance.

This chart also has the following metrics:

Total
The total number of RPCAP bytes transferred in the selected time interval.
Current
The number of RPCAP bytes transferred during the most recent second.
Max
The maximum number of RPCAP bytes transferred in the selected time interval.

The total, current, and maximum metrics are divided into the following categories:

Encapsulation
The total number of RPCAP-encapsulated bytes received by the Discover appliance.
Tunnel Received
The total number of RPCAP-tunneled bytes received by the Discover appliance.

The chart title contains the number of RPCAP peers. You can click the chart to open a second chart that displays the RPCAP throughput metrics on a per-peer basis.

The RPCAP chart is only displayed if remote packet capture is enabled on the Discover appliance.

How this information can help you

Monitor this chart to ensure efficient usage of RPCAP resources and ensure that the Discover appliance can accommodate increases in RPCAP throughput.

TCP desyncs

Displays the occurrence rate of system-wide desyncs, expressed in desyncs per second, on the ExtraHop Discover appliance. A desync indicates that a transaction did not follow typical TCP behavior.

This chart also has the following metrics:

Total
The total number of desyncs that occurred in the selected time interval.
Current
The number of desyncs that occurred during the most recent second.
Max
The maximum number of desyncs that occurred in the selected time interval.
How this information can help you

A desync is recorded if synchronization is lost when processing a TCP connection. Large numbers of desyncs, such as over 100, might indicate dropped packets on the monitoring interface, SPAN, or network tap.

If adjustments to your SPAN does not reduce a large number of desyncs, contact ExtraHop Support.

Trigger drops

Displays the number of triggers dropped from the queue of triggers waiting to run on the ExtraHop Discover appliance.

How this information can help you

Any data displayed on this chart indicates that trigger drops are occurring and that trigger queues are backed up.

The Discover appliance queues trigger operations if a trigger thread is overloaded. If the queue grows too long, the system stops adding trigger operations to the queue and drops the triggers. Currently running triggers are unaffected.

The primary cause of long queues, and subsequent trigger drops, is a long-running trigger.

Trigger exceptions by trigger

Displays the number of unhandled exceptions, sorted by trigger, that occurred on the ExtraHop Discover appliance. You can click the chart to open a second chart. This is the same secondary chart displayed from the Trigger Load by Trigger chart.

How this information can help you

Trigger exceptions are the primary cause of trigger performance issues. If this graph indicates a trigger exception has occurred, the trigger should be corrected immediately.

Trigger executes

Displays the number of times triggers were run per second during the selected time interval. The chart provides an overall snapshot of all triggers currently running on the ExtraHop Discover appliance.

How this information can help you

Look for spikes or an upward trend in the chart and investigate any triggers that have resulted in the surge. For example, you might notice increased activity if a trigger has been modified or a new trigger has been enabled. View the Trigger executes by trigger chart to see which triggers are running most frequently.

Trigger executes by trigger

Displays the number of times each active trigger ran during the selected time interval on the ExtraHop Discover appliance.

How this information can help you

Look for triggers that run significantly more frequently than average, which might indicate several issues. For example, a trigger assigned to all applications or all devices might have a heavy performance cost. A trigger assigned to a device group that has been expanded collect metrics you do not want. To minimize performance impact, a trigger should be assigned only to the specific sources that you need to collect data from.

High activity might also indicate that a trigger is working harder than it needs to. For example, a trigger might run on multiple events where it would be more efficient to create separate triggers, or a trigger script might not adhere to recommended scripting guidelines as described in the Triggers Best Practices Guide.

Trigger heap allocation

Displays the amount of memory, expressed in bytes, that the ExtraHop Discover appliance dedicates to processing capture triggers.

How this information can help you

The data in this chart is for internal purposes and might be requested by ExtraHop Support to help you diagnose an issue.

Trigger load

Displays the percentage of cycles on the ExtraHop Discover appliance that are consumed by triggers based on the total capture thread time.

You can mouse over a point on the graph to display the following metrics:

Load
The trigger cycle load at the selected point in time.
Cycles
The number of consumed cycles out of the total available cycles.
Executes
The number of trigger operations and the average number of trigger operations per second.
Average per execute
The average number of cycles consumed per trigger operation.
How this information can help you

Look for spikes or upward growth of the trigger load, especially after creating a new trigger or modifying an existing trigger. If you notice either condition, view the Trigger load by trigger chart to see which triggers are consuming the most resources.

Trigger load by thread

Displays the percentage of trigger cycle consumption per thread that occurred on the ExtraHop Discover appliance, based on the total capture time of the thread.

How this information can help you

The sparklines on this chart should display an even amount of consumption among multiple threads. Trigger drops might occur if the consumption of one thread is considerably higher than the others, even if the thread consumption is at a low percentage. For example, if consumption on one thread is 10% and 25% on another, then consumption is uneven and you should contact ExtraHop Support.

Trigger load by trigger

Displays the number of cycles consumed by each trigger enabled on the ExtraHop Discover appliance. You can click the chart to open a second chart that displays the consumption metrics on a per-trigger basis.

How this information can help you

Determine if any trigger appears to be consuming more cycles than average. If so, click to open the second chart and review the number of times the trigger has run. If the trigger has not run often, the trigger might be consuming more cycles than necessary, which can cause trigger drops.

Remote charts

The Remote section of the System Health page contains charts that pertain to the health and performance of open data stream (ODS) transmissions to a third-party syslog, database, or server.

The Remote section provides the following charts:

Connections

Displays the number of attempts by the ExtraHop Discover appliance to connect to remote, third-party systems through open data streams (ODS).

You can mouse over a point on the graph to display data in the following categories:

Connection attempts
The number of attempts to connect to the remote system.
Connection errors
The number of errors that occurred during attempts to connect to the remote system.

You can click the chart to open a second chart, which is the same secondary chart displayed from the Messages sent chart.

How this information can help you

Monitor this chart for an at-a-glance view of connection metrics. Consult the secondary chart to determine which ODS is experiencing connection issues. You can also monitor connection metrics from the Messages sent or Message throughput charts.

Remote heap allocation

Displays the amount of memory, expressed in bytes, that the ExtraHop Discover appliance dedicates to open data streams (ODS).

How this information can help you

The data in this chart is for internal purposes and might be requested by ExtraHop Support to help you diagnose an issue.

Message errors

Displays the errors detected during the transmission of data from the ExtraHop Discover appliance to remote, third-party systems through an open data stream (ODS).

You can mouse over a point on the graph to display data in the following categories:

Send errors
The number of errors that occurred during the transmission of data to the remote system.
Parse errors
The number of times a message could not be sent due to encoding issues in the trigger script.
Bad targets
The number of times a remote system could not be located. Bad targets often occur when the name of the remote system specified in the trigger script does not match the name configured in the Admin UI.
Queue full
The number of times the message queue was full. A full queue occurs when the remote system cannot handle the current message rate.

You can click the chart to open a second chart, which is the same secondary chart displayed from the Messages sent chart.

How this information can help you

If you have noticed errors on either the Messages sent or Message throughput charts, consult this chart to determine the type of errors associated with an ODS. For example, send errors might require you to update the ODS configuration, and you might need to correct trigger script issues if you see parse errors.

Message queue length

Displays the number of messages in the internal message queue that are waiting to be sent through an open data stream (ODS) from the ExtraHop Discover appliance.

How this information can help you

A long message queue might indicate that the Discover appliance is sending data faster than the remote system can process and could result in dropped messages. Refer to the Messages dropped chart to determine if message drops have occurred.

Message throughput

Displays the throughput of message data, expressed in bytes per second, sent to remote, third-party systems from the ExtraHop Discover appliance through an open data stream (ODS).

This chart also has the following metrics:

Total
The total number of message bytes transferred during the selected time interval.
Current
The number of message bytes transferred during the most recent second.
Max
The maximum number of message bytes transferred during the selected time interval.

You can click the Message Throughput chart to open a second chart that displays the total number of message bytes transferred and the total number of message bytes seen by remote systems. The chart also displays the following information for each ODS:

Sent
The number of message bytes sent to the remote system.
Seen
The number of message bytes seen by the remote system.
Send errors
The number of errors that occurred during the transmission of data to the remote system.
Connection attempts
The number of attempts to connect to the remote system.
Connection errors
The number of errors that occurred during attempts to connect to the remote system.
Queue full
The number of times the queue was full because the remote system could not handle the current message rate.
How this information can help you

Monitor this chart to ensure that bytes are being transferred as expected. If no bytes are sent, there might be an issue with the configuration of an ODS or an ODS trigger.

Check for high numbers in the send errors, connection errors, and queue full counts, which might indicate problems with your data streams. Refer to the secondary chart to view which ODS configurations have errors and refer to the Message errors chart to view the error types that were generated.

Messages dropped

Displays the number of messages dropped from an Open Data Stream (ODS) because the internal message queue was full.

How this information can help you

Dropped messages might indicate that the ExtraHop Discover appliance is sending data faster than the remote system can process. A long queue can cause messages to drop. Refer to the Message queue length chart to determine if the wait for messages to be sent is unusually long.

Messages sent

Displays the number of messages per second that were sent to remote, third-party systems from the ExtraHop Discover appliance through an open data stream (ODS).

This chart also has the following metrics:

Total
The total number of messages sent during the selected time interval.
Current
The number of messages sent during the most recent second.
Max
The maximum number of messages sent during the selected time interval.

You can click the Messages Sent chart to open a second chart that displays the total number of messages sent and the total number of messages seen by remote systems both for all open data streams and for an individual open data stream. The chart also displays the following information about each ODS:

Sent
The number of messages sent to the remote system.
Seen
The number of messages seen by the remote system.
Send errors
The number of errors that occurred during the transmission of data to the remote system.
Connection attempts
The number of attempts to connect to the remote system.
Connection errors
The number of errors that occurred during attempts to connect to the remote system.
Queue full
The number of times the queue was full because the remote system could not handle the current message rate.
How this information can help you

Monitor this chart to ensure that packets are sent as expected. If no packets are sent, there might be an issue with the configuration of an open data stream or an open data stream trigger.

Check for high numbers in the send errors, connection errors, and queue full counts, which might indicate problems with your data streams. Refer to the secondary chart to view which open data streams have errors and refer to the Message errors chart to view the error types that were generated.

Datastore charts

Active devices

Displays the total number of active L2, gateway, pseudo, custom, and L3 devices monitored by the ExtraHop system in the selected time interval.

This chart also has the following metrics:

Current
The number of active devices during the most recent second.
Average
The average number of active devices in the selected time interval.
Max
The maximum number of active devices in the selected time interval.
How this information can help you

Monitor this chart after making SPAN configuration changes to ensure that there were no unintended consequences that could put the ExtraHop system in a bad state. For example, accidental inclusion of a network can strain the limits of the ExtraHop system capabilities by consuming more resources, requiring more packet handling, and exceeding device limits, which results in poor performance. Check that the ExtraHop system is monitoring the expected number of active devices.

Total devices

Displays the total number of L2, gateway, pseudo, custom, and L3 devices monitored by the ExtraHop system, whether active or inactive, in the selected time interval.

This chart also has the following metrics:

Current
The number of devices during the most recent second.
Average
The average number of devices in the selected time interval.
Max
The maximum number of devices in the selected time interval.
How this information can help you

Monitor this chart after making SPAN configuration changes to ensure that there were no unintended consequences that could put the ExtraHop system in a bad state. For example, accidental inclusion of a network can strain the limits of the ExtraHop system capabilities by consuming more resources, requiring more packet handling, and exceeding device limits, which results in poor performance. Check that the ExtraHop system contains the expected number of total devices.

Block object combinations

Displays the number of block object combinations on the ExtraHop Discover appliance that occurred in a given time frame. Block object combinations occur when multiple portions of memory that contain metrics are combined.

How this information can help you

A high number of block object combinations might result from triggers that are creating a large amount of custom metrics or committing metrics to a high number of applications.

Datastore disk read throughput

Displays the disk read throughput rate, expressed in reads per second, on the ExtraHop Discover appliance.

This chart also has the following metrics:

Total
The total number of disk reads in the selected time interval.
Current
The number of disk reads during the most recent second.
Max
The maximum number of disk reads in the selected time interval.
How this information can help you

The data in this chart is for internal purposes and might be requested by ExtraHop Support to help you diagnose an issue.

Datastore disk write throughput

Displays the disk write throughput rate, expressed in writes per second, on the ExtraHop Discover appliance. The chart displays data for the selected time interval and for 1 hour, 5 minute, and 30 second intervals.

This chart also has the following metrics:

Total
The total number of disk writes in the selected time interval.
Current
The number of disk writes during the most recent second.
Max
The maximum number of disk writes in the selected time interval.
How this information can help you

The data in this chart is for internal purposes and might be requested by ExtraHop Support to help you diagnose an issue.

Datastore heap allocation

Displays the amount of memory that the ExtraHop Discover appliance dedicates to the datastore, expressed in bytes.

How this information can help you

The data in this chart is for internal purposes and might be requested by ExtraHop Support to help you diagnose an issue.

Datastore metric size

Displays the metric size distribution on the ExtraHop Discover appliance. You can click the Metric Size chart to open a second chart that displays the maximum size of each metric size.

How this information can help you

The data in this chart is for internal purposes and might be requested by ExtraHop Support to help you diagnose an issue.

Working set size

Displays the write cache working set size for metrics on the ExtraHop Discover appliance. The working set size indicates how many metrics can be written to the cache for the selected time interval and for 1 hour, 5 minute, and 30 second intervals.

This chart also has the following metrics:

Cycle
The primary time interval.
Current
The working set size during the most recent second.
Max
The maximum working set size in the selected time interval.
How this information can help you

The data on this chart might spike after trigger creation or trigger modification if the trigger script is not collecting metrics efficiently.

Store lookback

Displays the estimated datastore lookback metrics on the ExtraHop Discover appliance. Lookback metrics are available in 1 hour, 5 minute, and 30 second time intervals based on the write throughput rate, which is expressed in bytes per second.

How this information can help you

Refer to this chart to determine how far back you are able to look up historical data for given time intervals. For example, you might be able to look up 1 hour intervals of data as far back as 9 days.

Store read throughput

Displays the datastore read throughput rate, expressed in reads per second on the ExtraHop Discover appliance.

This chart also has the following metrics:

Total
The total number of datastore reads in the selected time interval.
Current
The number of datastore reads during the most recent second.
Max
The maximum number of datastore reads in the selected time interval.
How this information can help you

The data in this chart is for internal purposes and might be requested by ExtraHop Support to help you diagnose an issue.

Store write throughput

Displays the datastore write throughput rate, expressed in writes per second, on the ExtraHop Discover appliance. The chart displays data for the selected time interval and for 1 hour, 5 minute, and 30 second intervals.

This chart also has the following metrics:

Total
The total number of datastore writes in the selected time interval.
Current
The number of datastore writes during the most recent second.
Max
The maximum number of datastore writes in the selected time interval.
How this information can help you

The data in this chart is for internal purposes and might be requested by ExtraHop Support to help you diagnose an issue.

Datastore trigger drops

Displays the number of datastore-specific triggers dropped from the queue of triggers waiting to run on the ExtraHop Discover appliance.

How this information can help you

Any data displayed on this chart indicates that datastore trigger drops are occurring and that trigger queues are backed up.

The system queues trigger operations if a trigger thread is overloaded. If the datastore trigger queue grows too long, the system stops adding trigger operations to the queue and drops the triggers. Currently running triggers are unaffected.

The primary cause of long queues, and subsequent trigger drops, is a datastore long-running trigger.

Datastore trigger exceptions by trigger

Displays the number of unhandled exceptions caused by datastore-specific triggers on the ExtraHop Discover appliance. You can click the chart to open a second chart, which is the same secondary chart displayed from the Datastore Trigger Load by Trigger chart.

How this information can help you

Datastore trigger exceptions are the primary cause of trigger performance issues. If this graph indicates a trigger exception has occurred, the datastore trigger should be corrected immediately.

Datastore trigger executes

Displays the number of times datastore-specific triggers on the ExtraHop Discover appliance were run per second during the selected time interval.

How this information can help you

A single datastore trigger that runs often might indicate that the trigger has been assigned to all sources, such applications or devices. To minimize performance impact, a trigger should be assigned only to the specific sources that you need to collect data from.

Refer to the secondary chart available from the Datastore trigger load by trigger chart to view which datastore triggers are running most frequently.

Datastore trigger heap allocation

Displays the amount of memory, expressed in bytes, that the ExtraHop Discover appliance dedicates to the datastore triggers.

How this information can help you

The data in this chart is for internal purposes and might be requested by ExtraHop Support to help you diagnose an issue.

Datastore trigger load

Displays the percentage of cycles consumed by datastore-specific triggers on the ExtraHop Discover appliance, based on the total capture thread time.

You can mouse over a point on the graph to display the following metrics:

Load
The trigger cycle load at the selected point in time.
Cycles
The number of consumed cycles out of the total available cycles.
Executes
The number of trigger operations and the average number of trigger operations per second.
Average per execute
The average number of cycles consumed per trigger operation.
How this information can help you

Look for spikes or upward growth of the datastore trigger load, especially after creating a new datastore trigger or modifying an existing datastore trigger. If you notice either, refer to the Datastore trigger load by trigger chart to see which datastore triggers are consuming the most resources.

Datastore trigger load by trigger

Displays the number of cycles consumed by each datastore-specific trigger that is enabled and running on the ExtraHop Discover appliance. You can click the chart to open a second chart that displays the consumption metrics on a per-trigger basis.

How this information can help you

Determine if any datastore trigger appears to be consuming more cycles than average. If so, click to open the second chart and look up the number of times the trigger has run. If the trigger has not run often, the trigger is consuming more cycles than necessary, which can cause datastore trigger drops.

Trend charts

The Trend section of the System Health page contains charts that monitor performance and usage trends.

The Trend section provides the following charts:

Performance overview

Displays the percentage of trend resources consumed on the ExtraHop Discover appliance within the last hour, and the date and time of the last trend recorded.

How this information can help you

Monitor this data to determine whether the percentage of consumption by trends is efficient and allows for sufficient headroom.

Trend details

Displays the total processing time, expressed in milliseconds, for each trend on the ExtraHop Discover appliance during the last hour. The Trend Details chart also displays the trend type, such as alert or custom page.

How this information can help you
Monitor this chart for trends that have high processing times and assess the trend configuration. The trend type can help you locate the source of the trend data. You can also disable or enable a trend from this chart.

SSL certificates

The System Health page provides access to the SSL Certificates table, which displays a list of all certificates that perform decryption on the ExtraHop Discover appliance.

Click Certificates at the top of the System Health page. The SSL Certificates table displays the following status information for each certificate:

Decrypted
The number of sessions that were successfully decrypted.
Unsupported
The number of sessions that could not be decrypted with passive analysis, such as DHE key exchange.
Detached
The number of sessions that were not decrypted or only partially decrypted due to desyncs.
Passthrough
The number of sessions that were not decrypted due to hardware errors, such as those caused by exceeding the specifications of SSL acceleration hardware.

How this information can help you

Monitor this page to ensure that the correct SSL certificates are installed on the ExtraHop Discover appliance and are performing decryption as expected.

Status and diagnostics tools in the Admin UI

The Status and Diagnostics section provides metrics about the overall health of the ExtraHop Discover appliance and diagnostic tools that enable ExtraHop Support to troubleshoot system errors.

The Status and Diagnostics section includes the following tools:

Health statistics

A Health page is available on any ExtraHop appliance that you log into, which provides a collection of metrics about the operation of that appliance.

If issues occur with the ExtraHop appliance, the following metrics on the Health page can help you to troubleshoot the problem and determine why the ExtraHop appliance is not performing as expected.

System status
Information about the system CPU usage and hard disk.
Bridge status
Information about the ExtraHop appliance bridge component.
Capture status
Information about the ExtraHop appliance network capture process.
Service status
Information about the status of ExtraHop appliance services such as alerts, trends, or exconfig.
Interface status
Information about the status of ExtraHop appliance system interfaces.
Partition status
Information about the non-volatile random-access memory (NVRAM) status and usage of ExtraHop appliance components.

For more information about the Health page, see the ExtraHop Admin UI Guide.

How this information can help you

The information on this page helps you assess the performance of ExtraHop system services; however, it is most important to monitor the number of packets received in the Interface section. An extreme drop or stop in the number of received packets indicates a serious issue with the ExtraHop system and requires immediate resolution.

Audit log

An audit log is available on any ExtraHop appliance that you log into, which provides data about the operations and activity, broken down by component, for that appliance. The audit log lists all known events by timestamp, in reverse chronological order. In the Syslog Settings on the Audit Log page, you can configure where to send audit logs.

The ExtraHop appliance collects the following log data and reports the results on the Audit Log Activity page:

Time
The time when the event occurred.
User
The ExtraHop system user who initiated the logged event.
Operation
The ExtraHop system operation that generated the logged event.
Details
The outcome of the event, such as Success, Modified, Execute, or Failure. Each log entry also identifies the originating IP address, when available.
Component
The ExtraHop system component that is associated with the logged event.

For more information about the Audit Log page, see the ExtraHop Admin UI Guide.

How this information can help you

After an issue with the ExtraHop appliance occurs, consult the audit log to view detailed diagnostic data to determine what might have caused the issue.

Exception files

If enabled, exception files are available on any ExtraHop appliance that you log into. When you enable the Exception File setting, a core file of the data stored in memory is written to the disk if the system unexpectedly stops or restarts. This file can help ExtraHop Support diagnose the issue.

For more information about exception files, see the ExtraHop Admin UI Guide.

How this information can help you

Exception files are for internal purposes and might be requested by ExtraHop Support to help diagnose an issue.

Support packs

Support packs are available on any ExtraHop appliance that you log into. ExtraHop Support might provide a support pack that can apply a special setting, make a small adjustment to the ExtraHop appliance, or provide help with remote support or enhanced settings.

The Admin UI enables you to upload and run diagnostic support packages to discover issues on the ExtraHop system.

For more information about support packs, see the ExtraHop Admin UI Guide.

How this information can help you

Support packs are for internal purposes and might be requested by ExtraHop Support to help diagnose an issue.

System Health FAQ

Here are some answers to frequently asked questions about System Health.

How do I check for possible data loss?

The best indicators of data loss are dropped packets, TCP desyncs, and excessively high packet or throughput rates.

  • Check the Drops chart for packets dropped at the network card interface, SPAN, or network tap
  • Check the TCP desyncs chart for system-wide desyncs, which indicate that synchronization was lost when processing a TCP connection.
  • Monitor the following charts to ensure that the ExtraHop Discover appliance is not exceeding product thresholds:

    A high packet rate or throughput rate might result in packets dropped at the span source or at a span aggregator. Acceptable rates and limits are available on the Datasheets for Discover appliances.

How do I monitor resource consumption?

The Discover appliance allocates memory resources for capturing packets, running triggers, transmitting data to remote servers, and recording to the datastore.

Check the following charts for the amount of memory that the Discover appliance dedicates to each resource area over a given time range:

How do I check the performance of my RPCAP deployments?

After the initial setup of a remote packet capture (RPCAP) deployment, it is a good idea to make sure your deployment is working as expected.

  • Check the RPCAP packets chart to ensure that packets are being captured and that the volume matches your network traffic.
  • Monitor the RPCAP throughput chart to check whether RPCAP resources are being consumed efficiently. If RPCAP resources are heavily consumed, you could have expansion problems as throughput increases or as you add RPCAP deployments.

Are my triggers running properly?

To get the most out of your triggers, it makes sense to make sure that new and modified triggers are running and to monitor for problems that can affect system performance or result in incorrect data.

  • View the Trigger executes chart to ensure that the amount of trigger activity is consistent with your expectations. Look for bursts of trigger activity that might indicate inefficient behavior from one or more triggers.
  • View the Trigger executes by trigger chart after you have created a new trigger or modified an existing one to ensure that the trigger is running. Any trigger consuming higher resources than average might have a poorly-optimized script that is affecting performance.
  • Check the Trigger exceptions by trigger chart to display any unhandled trigger exceptions. Exceptions are a large contributor to system performance issues and should be corrected immediately
  • Check the Trigger drops chart to view the number of triggers that have been dropped from the trigger queue. A common cause of dropped triggers is a long-running trigger that is dominating resource consumption.

You can monitor whether your datastore triggers, also referred to as bridge triggers, are running properly with the following charts:

How do triggers affect my Discover appliance?

In addition to monitoring how well your triggers are running, the System Health page provides charts that enable you to monitor and assess the impact of running triggers to your Discover appliance.

  • View the Trigger load chart to display several measurements of resource consumption by all running triggers. Look for spikes in consumption that can indicate that a new trigger has been introduced or that an existing trigger is having issues.
  • Check the Trigger load by trigger chart to view the number of cycles consumed by each running trigger. A trigger that runs seldom but consumes more cycles than average can cause other triggers to be dropped from the queue. To investigate further, click this chart to open a details page contains additional per-trigger consumption metrics, such as the number of cycles and the number of exceptions.
  • Check the Trigger load by thread chart to view the percentage of trigger cycle consumption of each thread allocated to trigger operations. Look for an even amount of consumption among multiple threads. Trigger drops might occur if the consumption of one thread is considerably higher than the others, even if the thread consumption is at a low percentage.
You can monitor the impact of datastore triggers, also referred to as bridge triggers, that are running on your Discover appliance with the following charts:

How are my open data streams performing?

You can monitor charts that pertain to the health and performance of open data stream (ODS) transmissions to a third-party syslog, database, or server.

  • Click the Messages sent chart to view the total number of messages transmitted by all active data streams. Monitor this chart to ensure that messages are being transmitted as expected. If no bytes are sent, there might be an issue with the configuration of an open data stream or an ODS trigger.
  • Click the Message throughput chart to view the total number of bytes transmitted by all active data streams. Monitor this chart to ensure that bytes are being transmitted as expected. If no bytes are sent, there might be an issue with the configuration of an open data stream or an ODS trigger.
  • Check the Connections chart for an at-a-glance view of attempts to connect to ODS targets and errors that occurred during the attempts.
  • Check the Message errors chart to view which ODS connections resulted in errors. Mouse over the graph to display additional error details that help you determine the cause of an error.
  • Monitor the Messages dropped chart to view the number of messages dropped from an open data stream because the message queue was full. Dropped messages indicate that the message queue is too long.
  • Monitor the Message queue length chart to display the number of messages waiting in the queue. A long message queue might indicate that the Discover appliance is sending data faster than the remote system can process.

What is the estimated lookback capacity?

Lookback refers to how far back you are currently able to look up historical data. For example, you might be able to look up 1-hour intervals of data as far back as 9 days.

  • Monitor the Store lookback chart to determine the current estimated lookback capacity of your Discover appliance. The chart displays lookback metrics for 1 hour, 5 minute, and 30 second time intervals based on the write throughput rate.

How many devices is the appliance monitoring?

The System Health page provides charts that help you determine how many L2, gateway, pseudo, custom, and L3 devices are monitored by the Discover appliance.

  • Check the Active devices chart to ensure that the total number of active devices being monitored is as expected.
  • Check the Total devices chart to ensure that the total number of all devices recognized by the Discover appliance, whether active or inactive, is as expected.

Are my SSL certificates decrypting as expected?

You can access a list of all certificates that perform decryption on the Discover appliance by clicking Certificates at the top of the System Health page.

  • Check the SSL certificates table to ensure that the correct SSL certificates are installed on the Discover appliance and to view encryption metrics for each certificate. Encryption metrics help you determine if your certificates are performing decryption as expected. For example, you can check the number of successfully encrypted sessions or the number of sessions that were not decrypted due to hardware errors.

How do I add system health metrics to a dashboard?

You can customize your view of system performance information by adding system health metrics to a dashboard. You can add multiple metrics to a chart to compare data, such as the total throughput of the network capture compared with the total packets. You can choose a chart type that best fits how you would like to view data. For example, you can view how often each trigger is running in a line chart or a pie chart. You can also add chart notes and tips in text boxes.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click Dashboards from the top menu.
  3. Click the command menu in the upper right corner and select Create Dashboard to open an empty dashboard.
  4. Type a name for your dashboard, and then click Create.
  5. Click the empty chart widget in your newly created dashboard to launch the Metric Explorer where you will configure your dashboard.
  6. Click Add Source, and then add the wire network monitored by the ExtraHop appliance to the Sources field. This entry is typically at the top of the list and is identified by the word Capture followed by a MAC address.
  7. In the Metrics field, click the Any Protocol text, and then select ExtraHop from the list.
  8. From the drop-down list, select the health metric you would like to add, such as L2 Duplicate Packets or Trigger Executes.
  9. Click Save to return to your dashboard.
  10. Click Exit Layout Mode from the upper-right corner.

Assess available system health metrics to identify metrics that are most important to you. For example, you can create a dashboard that focuses on the performance of remote packet capture or one that tracks SSL certificates.

If you are unfamiliar with creating dashboards, see our Dashboard Walkthrough.

What other tools can help me evaluate system health?

The Status and Diagnostics section of the Admin UI provides metrics about the overall health of the ExtraHop appliance and diagnostic tools that enable ExtraHop Support to troubleshoot system errors.

  • Check health statistics to view metrics that indicate the operating efficiency of the ExtraHop appliance.
  • Check the audit log to view event logging data and to change syslog settings.
  • Learn about exception files and how to enable or disable them on the ExtraHop appliance.
  • Learn about support packs and how to upload and apply them on the ExtraHop appliance.

You can also view the following resources to learn more about system health:

Triggers concepts

Triggers are composed of user-defined code that automatically runs on system events through the ExtraHop Trigger API. You can write a trigger, which is a block of JavaScript, through the trigger API to extract, store, and visualize custom wire data events and metrics that are specific to your business, infrastructure, network, clients, and business applications.

Some of the most common workflows that you can perform through triggers include the following operations:

  • Create an application container in which metrics are collected for specific devices. Application containers augment the device-based views that the ExtraHop system constructs by default.
  • Create custom metrics and save them to the ExtraHop datastore. For example, user agent data generated by an HTTP request is not a metric built into the ExtraHop system. However, the ExtraHop Trigger API provides a user agent HTTP property, which enables you to write a trigger that collects user agent data as a custom metric.
  • Generate records and write them to the ExtraHop Explore appliance for long-term storage and retrieval.
  • Send data to syslog consumers, such as Splunk, or to third party databases, such as MongoDB or Kafka, through an open data stream.
  • Perform universal payload analysis (UPA) to access and parse TCP and UDP payloads from unsupported protocols.
  • Initiate packet captures to record individual flows based on user-specified criteria. Your ExtraHop system must be licensed for packet capture to access this feature.

In the ExtraHop Web UI, the Triggers page lists information about available triggers and provides access to the Trigger Configuration window, where you can write or modify triggers.

Plan a trigger

Writing a trigger to collect custom metrics is a powerful way to monitor your application and network performance. However, triggers consume system resources and can affect system performance, and a poorly-written trigger can cause unnecessary system load. Before you build a trigger, evaluate what you want your trigger to accomplish, identify which events and devices are needed to extract the data you need, and determine whether a solution already exists.

  • Identify the specific information you need to collect, by asking the following types of questions:
    • When will my SSL certificates expire?
    • Is my network getting connections on non-authorized ports?
    • How many slow transactions is my network experiencing?
    • What data do I want to send to Splunk through an open data stream?
  • Review the Metric Catalog to determine whether a built-in metric already exists that extracts the data you need. Built-in metrics do not create additional load on the system.
  • Identify which system events produce the data that you want to collect. For example, a trigger that monitors cloud application activity in your environment might run on HTTP responses and on the open and close of SSL connections. For a complete list of system events, see the ExtraHop Trigger API Reference.
  • Familiarize yourself with the API methods and properties available in the ExtraHop Trigger API Reference. For example, before you get too far in planning your trigger, check the reference to make sure that the property you want to extract is available, or to find out what properties are collected in a default CIFS record.
  • Determine how you want to visualize or store data collected by the trigger. For example, you can view metrics on a dashboard or by protocol, you can send records to the ExtraHop Explore appliance, or you can send data to another third-party system, such as Splunk.
  • Determine if a trigger already exists that meets your needs or might be easily modified; always start with a pre-existing trigger whenever possible. Search the following resources for an existing trigger:

Building triggers

If you determine that you need to build a new trigger, familiarize yourself with the following tasks that must be completed:

  • Configure the trigger to provide details such as the trigger name and whether debugging is enabled. Most importantly, specify which system events the trigger will run on. For example, if you want your trigger to run each time an SSH connection is opened, you will specify SSH_OPEN as the trigger event.
  • Write the trigger script, which specifies the instructions the trigger will carry out when a system event configured for the trigger occurs. The trigger script can provide instructions for a simple task such as creating a custom device count metric called "slow_rsp" or a more complex effort such as monitoring and collecting statistics about the cloud applications accessed in your environment.
  • Assign the trigger to the devices the trigger will collect data from. For example, if the trigger is configured to run on SSH_OPEN events, the trigger will run only when those events occur on assigned devices. The trigger cannot run until it has been assigned to at least one device.

After the trigger is complete and running, it is important to check that the trigger is performing as expected.

The Triggers page contains a list of current triggers with the following information:

Name
The user-defined name of the trigger.
Author
The name of the user who wrote the trigger. Default triggers display ExtraHop for this field.
Events
The system events that cause the trigger to run, such as HTTP_RESPONSE.
Type
The type of metric source for the trigger, such as a device or a network.
Debug Mode
Whether debugging is enabled. If debugging is enabled, output from debug statements in the trigger script are logged in the runtime log output.
ECA
The appliance where the trigger was written. If the trigger was created on an ExtraHop Command appliance, the Command appliance name is displayed. Otherwise, this field displays Local to indicate that the trigger was written on the local Discover appliance. This column is only available from a Discover appliance that is connected to a Command appliance.
Description
The user-defined description of the trigger.
Status
Whether the trigger is enabled. If the trigger is enabled, the number of device assignments also displays.

Check out the following guides and resources that are designed to familiarize new users with our top features.

Build a trigger

Triggers provide expanded functionality of your ExtraHop system. With triggers, you can create custom metrics, generate and store records, or send data to a third-party system. Because you write the trigger script, you control the actions taken by the trigger upon specified system events.

To build a trigger, you must create a trigger configuration, write the trigger script, and then assign the trigger to one or more metric sources. The trigger will not run until all actions are completed.

Before you begin

Log in to the Discover or Command appliance with a user account that has the full write privileges required to create triggers.

If you are new to triggers, familiarize yourself with the trigger planning process, which will help you narrow the focus of your trigger, or determine whether you need a build a trigger at all. Then, run through the process of building a trigger by completing the Triggers Walkthrough.

Configure trigger settings

The first step to building a trigger is to provide a trigger name, determine whether debugging is enabled, and most importantly, identify which system events the trigger will run on.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon and then click Triggers.
  3. Click New, and then click the Configuration tab.
  4. Specify the following trigger configuration settings:
    Name
    A name for the trigger.
    Author
    The name of the user that wrote the trigger. Default triggers display ExtraHop.
    Description
    An optional description of the trigger.
    Status
    A checkbox that enables or disables the trigger.
    Debug
    A checkbox that enables or disables debugging. If you add debug statements to the trigger script, this option enables you to view debug output in the runtime log when the trigger is running.
    Events
    The events on which the trigger runs. The trigger runs whenever one of the specified events occurs on an assigned device; therefore, you must assign at least one event to your trigger. You can click in the field or begin typing an event name to display a filtered list of available events.
    Select advanced options
    Advanced trigger options vary by the selected events. For example, if you select the HTTP_RESPONSE event, you can set the number of payload bytes to buffer on those events.

    The following figure shows a sample configuration for a trigger than runs on HTTP responses:

Write a trigger script

The trigger script specifies the instructions the trigger will carry out when a system event configured for the trigger occurs.

Before you begin

We recommend that you open the ExtraHop Trigger API Reference, which contains the events, methods, and properties you need for your trigger. A link is also available from the trigger editor window in the ExtraHop Web UI.
  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon , and then click Triggers.
  3. From the Trigger Configuration window, click the Editor tab.
  4. Type the trigger script in JavaScript-like syntax with events, methods, and properties from the ExtraHop Trigger API Reference.

    The following figure shows a sample script entered on the Editor tab:

    The editor provides an autocomplete feature that displays a list of properties and methods based on the selected class object. For example, press CTRL+Space in the editor to display a list of class objects, and after you select a class, type a dot (.) to display a list of available properties and methods as shown in the following figure:

  5. Click Save Changes.

    The editor provides syntax validation of your script. When you save the trigger, the validator calls out any invalid actions, syntax errors, or deprecated elements in the script. If available, the validator displays replacements for deprecated elements. You cannot save the trigger until you fix your code or you disable syntax validation.

    Warning:To avoid poor trigger performance, incorrect results, or a trigger that does not function, we strongly recommended that you fix the code or replace the deprecated element rather than disabling validation. Disabling validation applies only to the trigger you are editing; there is no option to disable validation globally.

    The following figure shows a sample error message generated by the syntax validator:

    After a new trigger is saved, the Runtime Log and Performance tabs are displayed.

Assign a trigger to a device

You can assign a trigger to one or more devices or to a device group. A trigger does not run until it is assigned to a device, and the trigger gathers metric data only from the devices to which it is assigned.

Warning:Running triggers on unnecessary devices and networks exhausts system resources. Minimize performance impact by assigning a trigger only to the specific sources that you need to collect data from.
  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click Metrics from the top menu.
  3. Click Devices or Device Groups in the left pane.
  4. Select the checkbox for each device or device group you want to assign the trigger to.
  5. Click the Assign Trigger icon from the top of the page.
  6. Select the checkbox for each trigger you want to assign to the selected devices or device groups.
  7. Click Assign Triggers.
The trigger runs on the selected devices whenever the trigger events occur.
Tip:You can also manage trigger assignments for a device from the device overview page. From the Manage Device section, click Assignments to add or remove trigger assignments from the device and to view which triggers are already assigned to the device.

Advanced trigger options

You must configure triggers to run on at least one event. Depending on the selected event, the Trigger Configuration window displays advanced configuration options. For example, selecting the HTTP_RESPONSE event enables you to set the number of payload bytes to buffer each time that event occurs on the system.

The following table describes available advanced options and the events that support each option.
Option Description Supported events
Bytes per packet to capture Specifies the number of bytes to capture per packet. The capture starts with the first byte in the packet. Specify this option only if the trigger script performs packet capture.

A value of 0 specifies that the capture should collect all bytes in each packet.

All events are supported except the following list:
  • ALERT_RECORD_COMMIT
  • METRIC_CYCLE_BEGIN
  • METRIC_CYCLE_END
  • FLOW_REPORT
  • NEW_APPLICATION
  • NEW_DEVICE
  • SESSION_EXPIRE
Bytes to Buffer Specifies the minimum number of payload bytes to buffer.
  • CIFS_REQUEST
  • CIFS_RESPONSE
  • HTTP_REQUEST
  • HTTP_RESPONSE
  • ICA_TICK
Clipboard Bytes to Buffer Specifies the number of bytes to buffer on a Citrix clipboard transfer.
  • ICA_TICK
Metric Cycle Specifies the length of the metric cycle, expressed in seconds. The following values are valid:
  • 30sec
  • 5min
  • 1hr
  • 24hr
  • METRIC_CYCLE_BEGIN
  • METRIC_CYCLE_END
  • METRIC_RECORD_COMMIT
Metric Types Specifies the metric type by the raw metric name, such as extrahop.device.http_server. Specify multiple metric types in a comma-delimited list.
  • ALERT_RECORD_COMMIT
  • METRIC_RECORD_COMMIT
Per Turn Enables packet capture on each flow turn.

Per-turn analysis continuously analyzes communication between two endpoints to extract a single payload data point from the flow.

If this option is enabled, any values specified for the Client matching string and Server matching string options are ignored.

  • SSL_PAYLOAD
  • TCP_PAYLOAD
Client port min Specifies the minimum port number of the client port range.

Valid values are 0 to 65535.

A value of 0 specifies matching of any port.

  • SSL_PAYLOAD
  • TCP_PAYLOAD
  • UDP_PAYLOAD
Client port max Specifies the maximum port number of the client port range.

Valid values are 0 to 65535.

Any value specified for this option is ignored if the value of the Client port min option is 0.

  • SSL_PAYLOAD
  • TCP_PAYLOAD
  • UDP_PAYLOAD
Client bytes to buffer Specifies the number of client bytes to buffer.

The value of this option cannot be set to 0 if the value of the Server bytes to buffer option is also set to 0.

  • SSL_PAYLOAD
  • TCP_PAYLOAD
Client matching string Specifies the format string that indicates when to begin buffering client data.

Any value specified for this option is ignored if the Per Turn option is enabled.

  • SSL_PAYLOAD
  • TCP_PAYLOAD
  • UDP_PAYLOAD
Server port min Specifies the minimum port number of the server port range.

Valid values are 0 to 65535.

A value of 0 specifies matching of any port.

  • SSL_PAYLOAD
  • TCP_PAYLOAD
  • UDP_PAYLOAD
Server port max Specifies the maximum port number of the server port range.

Valid values are 0 to 65535.

Any value specified for this option is ignored if the value of the Server port min option is 0.

  • SSL_PAYLOAD
  • TCP_PAYLOAD
  • UDP_PAYLOAD
Server bytes buffer Specifies the number of server bytes to buffer.

The value of this option cannot be set to 0 if the value of the Client bytes to buffer option is also set to 0.

  • SSL_PAYLOAD
  • TCP_PAYLOAD
Server matching string Specifies the format string that indicates when to begin buffering data. Returns the entire packet upon a string match.

Any value specified for this option is ignored if the Per Turn option is enabled.

  • SSL_PAYLOAD
  • TCP_PAYLOAD
  • UDP_PAYLOAD
All UDP Datagrams Enables capture of all UDP datagrams.
  • UDP_PAYLOAD
Run FLOW_CLASSIFY on expired flows Enables running the event upon expiration to accumulate metrics for flows that were not classified before expiring.
  • FLOW_CLASSIFY

Monitor trigger performance

After you have built a trigger, check to ensure that it is running as expected, without errors or unnecessary consumption of resources. If your trigger script includes a debug statement, check the runtime log for debug output. You can also check the runtime log for errors and exceptions. You can view performance information for an individual trigger and you can view several system health charts that indicate the collective impact of all of your triggers on the system.

To learn about the steps you must complete to create a trigger, see Build a trigger.

Check trigger output in the runtime log

After you create or edit a trigger, you can view the Runtime Log tab to check that the trigger is running as expected, without issues. The runtime log displays debug output, errors, and exceptions. This tab only appears after the trigger is saved.

If a trigger includes a debug statement, the output from that statement is displayed in the trigger runtime log. Ensure that the logged output is expected. If you are not seeing results, check that debugging is enabled on the Configuration tab.

Note that debug output starts logging as soon as the trigger is assigned and saved; however, the log cannot display data that occurred prior to when the trigger was assigned and saved.

The following steps show you how to access the runtime log:

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon , and then click Triggers.
  3. Double-click the trigger you want to view.
  4. Click the Runtime Log tab.
In the following example, the trigger monitors HTTP connections on selected devices and returns URIs that contain “seattle”.
if (HTTP.uri.match("seattle")){
    Application("Seattle App").commit();
    debug(HTTP.uri);
}

When a match occurs, the URI that contains the match is written to the runtime log as shown in the following figure:

The runtime log also displays any runtime errors or exceptions that occur, whether or not debugging is enabled on the Configuration tab. You should fix exceptions when they occur to minimize the performance impact on your system.

View the performance of an individual trigger

After you create or edit a trigger, you can view the Performance tab to view a graphical representation of the performance impact the trigger has on your environment. This tab only appears after the trigger is saved.

  1. Log into the Web UI on the ExtraHop Discover or Command appliance.
  2. Click the System Settings icon , and then click Triggers.
  3. Double-click the trigger you want to view.
  4. Click the Performance tab.

The tab displays a trigger performance graph that tracks the number of cycles the trigger has consumed within a given time interval. You can hover over a data point to display key performance metrics at a single point in time.

The hover tip includes the following information:

  • The most and least cycles the trigger consumed to process a single event.
  • The number of times the trigger ran and the percentage of times the trigger ran compared to all triggers that ran in the same time range.
  • The total number of cycles consumed by the trigger and the percentage of cycles consumed compared to all triggers that ran in the same time range.

Next steps

If the trigger impact is high, re-evaluate the purpose of the trigger and consider the following options:
  • Ensure the trigger performs only necessary tasks and runs only on required devices or networks.
  • Check for exceptions in the runtime log and visit the System Health page, which provides additional trigger performance metrics such as the number of running triggers, trigger load, and trigger exceptions.
  • Assess the efficiency of the trigger script and look for trigger optimization tips in the Triggers Best Practices Guide.

View the performance of all triggers on the system

After you have built a trigger, view several System Health charts that indicate the collective impact of all of your triggers on the system. You can monitor these charts for problems that affect system performance or result in incorrect data.

The System Health page contains several charts that provide an at-a-glance view of the triggers running on the ExtraHop system.

  1. Click the System Settings icon , and then click System Health.
  2. View the following charts:
    Option Description
    Trigger Executes by Trigger Displays all triggers running on the system. If the trigger you just created or modified is not listed, there might be an issue with the trigger script.
    Trigger Executes Displays bursts of trigger activity that might indicate inefficient behavior from one or more triggers. If any bursts of activity are displayed, view the Trigger Executes by Trigger chart to locate any trigger that is consuming higher resources than average, which can indicate that the trigger has a poorly-optimized script that is affecting performance.
    Trigger Exceptions by Trigger Displays any exceptions caused by triggers. Exceptions are a large contributor to system performance issues and should be corrected immediately.
    Trigger Drops Displays the number of triggers that have been dropped from the trigger queue. A common cause of dropped triggers is a long-running trigger that is dominating resource consumption. A healthy system should have 0 drops at all times.
    Trigger Load Tracks the usage of all available resources by triggers. A high load is approximately 50%. Look for spikes in consumption that can indicate that a new trigger has been introduced or that an existing trigger is having issues.

    You can monitor whether your datastore triggers, also referred to as bridge triggers, are running properly with the following charts:

    • Datastore trigger executes
    • Datastore trigger exceptions by trigger
    • Datastore trigger drops

Devices

Devices are objects on your network with a MAC address and IP address that have been automatically discovered and classified by the ExtraHop system. Metrics are available for every discovered device on your network. An L2 device has a MAC address only; an L3 device has an IP address and MAC address.

For more information about how devices are automatically discovered and classified by the ExtraHop system, see Device discovery.

Find a device

The ExtraHop system automatically discovers devices such as clients, servers, routers, load balancers, and gateways that are actively communicating with other devices over the wire. If you want to see network activity associated with a specific device, you can search for your device in the Discover or Command appliance, and then view traffic and protocol metrics on a protocol page.

There are several ways to search for a device:
  • Perform a general search from the global search field at the top of the page.

  • Perform a detailed search from the device list page in the Metrics section of the ExtraHop Web UI, where you can filter search results by device attributes.