Purview Integration: Splunk

The Purview™ Solution–
Integration With Splunk
Integrating Application Management and Business Analytics
With Other IT Management Systems
A SOLUTION WHITE PAPER
WHITE PAPER
Introduction
Purview Integration with Splunk
Purview is a network powered application analytics and optimization solution
that captures and analyzes context-based application traffic to deliver meaningful
intelligence - about applications, users, locations and devices.
It is the Industry’s very first and only – patent pending – solution to transform the
Network into a Strategic Business Asset - by enabling the mining of network-based
business events and strategic information that help business leaders make faster and
more effective decisions. It does this all from a centralized command control center
that combines Network Management with Business Analytics, and at unprecedented
scale (100M sessions) and scope.
Enterprise mobility is more than the mobile device – mobility and agility across the
entire enterprise requires access to data from any device, which has resulted in a
change of the application landscape by moving away from installing and maintaining
traditional applications, to private and public Cloud-based delivery models, such as
SalesForce.com, Google Apps and many more.
Millions of new applications have been developed to support new work efficiencies,
with new “apps” showing up every day; some become business-critical the next day
while others may have no real value. Additionally, mobile users demand immediate
access to all of their social media apps. Social, mobile, Cloud and Big Data is
everywhere. To maximize the user experience IT must make sure that applications
can be seamlessly delivered from the Cloud – private or public—to those users and
devices that require them to perform their jobs.
The Purview Solution – White Paper
2
Apps Everywhere – Public and Private Cloud
How users see applications:
How traditional switches see applications:
Port 80
Port 443
Figure 1–Loss of application visibility and control
What is Purview?
The three main solution components that make up this unique Purview
architecture are:
• OneFabric Control Center with OneFabric Connect
• Purview (Application Fingerprint) Engine
• CoreFlow2 based Data Collection Device
OneFabric Control Center provides centralized visibility and control over the entire
network. Centralized visibility and control enables infrastructure and application
teams to work together, eliminating costly misalignments and errors that occur
through typical operational workflows. Embedded automation and orchestration
features improve application delivery for dynamic and mobile environments
leveraging Cloud, virtualization, and server/storage consolidation.
OneFabric Control Center provides unified, centralized management and
control, which allows network operations to leverage the power and intelligence,
built into Extreme Networks networking solutions and thereby unlock the full
potential of Purview.
Additionally, OneFabric Control Center as a SDN (Software Defined Network)
management and control solution integrates with external systems via OneFabric
Connect—a set of APIs that increases visibility and control to new heights. The data
that Purview provides can be accessed via OneFabric Connect to create new third
party integrations or augment existing integrations. The integration options are:
• Scheduled reporting (email via PDF)
• OneFabric Connect API (XML) support for integration with other
IT applications
• Real-time application detection notification (using syslog)
Purview is in fact a deep packet inspection (DPI) solution that can be deployed at
scale, across the entire network infrastructure from the data center to the mobile
edge – wired and wireless – to provide a superior user experience while optimizing
network resource utilization. A fully integrated and unified solution can also
eliminate point products, thereby reducing the operational complexity and cost
The Purview Solution – White Paper
3
that is associated with these existing approaches. By providing more contextual
information the solution becomes a business asset for analytics and network-driven
business intelligence.
CoreFlow2 is the cornerstone of Extreme Networks’ switching technology –
addressing the need for application monitoring and control at scale and highperformance. CoreFlow2 is a highly programmable custom designed ASIC, which
delivers flexibility in packet classification and reframing not found in competitive
offerings. The granularity of packet analysis and controls is unsurpassed, and it
translates into real-world benefits in the data center and the campus network. The
flow-based application visibility provided by CoreFlow2 is used to provide the
Purview flow mirroring to the Purview Fingerprint Engine.
OneFabric Control Center
Visibility
Control
Context
Purview Engine
Collect
Analyze
Classify
NetFlow
Purview Mirror
Massive scalability
Multiple Tbit/s and millions of flows
CoreFlow2 Data
Collection Device
Figure 1–Loss of application visibility and control
Overview – Purview Integration Splunk
Enterprise
What is Splunk Enterprise?
IT systems and technology infrastructure – websites, applications, servers,
networks, sensors, mobile devices and the like –generate massive amounts of
machine data. By monitoring and analyzing everything from customer clickstreams
and transactions to network activity and call records, Splunk Enterprise turns
machine data into valuable analytics. Troubleshoot problems and investigate
security incidents in minutes, not hours or days. Monitor your end-to-end
infrastructure to avoid service degradation or outages. Gain real-time visibility into
user experience, transactions and behavior.
The integration with Splunk Enterprise and Purview allows users to take full
advantage of layer 7 application fingerprints produced by Purview within the
Splunk framework. This enables complex use cases and analytics that Splunk makes
possible through its excellent user interface, but powered under the covers by
Purview application fingerprints derived from real world network communications.
Splunk also has the ability to issue complex queries over incoming data sources.
This allows network and security administrators to gain insight into what is actually
happening with networks and systems that they are responsible for. The addition
of Purview data will allow such investigations to take into account full application
layer fingerprinting information. This provides a rich enhancement to network
visibility for Splunk users.
The Purview Solution – White Paper
4
Purview Alerts with Splunk Enterprise
Splunk has a light-weight correlation system capable of producing custom-built
Alerts. The Splunk system allows the administrator to create security, policy, or
behavioral Alerts tied to specific values extracted from the results of a saved search.
These Alerts can be posted to the Splunk user interface, configured to launch an
administrator supplied script, or emailed to provide immediate notification.
The Splunk system does not come with a large number of default Alerts, instead,
Splunk administrators create their own custom Alerts to match their particular
needs. In the example below a custom Splunk Alert is created via a wizard to
detect virtual network computing (VNC) network reconnaissance and then post
the Alert to the Splunk user interface.
Purview Visibility within Splunk
Splunk is able to provide in-depth visibility derived from the Purview event feed.
Splunk provides a facility for complex queries, custom aggregations, multiple
chart formatting options, real-time dashboards, and historical views through
trend reports. Splunk’s strength is to parse, normalize, and process all available
fields within the Purview event feed without any burdensome customization
requirements placed upon the administrator. In the example below the Application
Response Time field provided in the Purview feed is monitored for all values greater than
200 ms, aggregated by application, and then displayed in an auto-updating time-series chart.
The Purview Solution – White Paper
5
Additional visualizations of Purview data are displayed below.
Figure 5 – Raw Purview data collected from a relatively busy network:
The Purview Solution – White Paper
6
Figure 6 – The Purview data is fully indexed and is searchable
Figure 7 – Top source IP addresses in the current data set along with an aggregate graphical view
The Purview Solution – White Paper
7
Top applications in the current sample set. This illustrates Splunk indexing of our application specific
fingerprint information:
Figure 8 – Top Apps
The Purview Solution – White Paper
8
Top applications in the current sample set. This illustrates Splunk indexing of our application specific
fingerprint information:
Splunk Queries of Purview Data
A strength of Splunk is the ability to issue complex queries over incoming data
sources. This allows network and security administrators to gain insight into what
is actually happening with networks and systems that they are responsible for. The
addition of Purview data will allow such investigations to take into account full
application layer fingerprinting information. This provides a rich enhancement to
network visibility for Splunk users.
Summary
Purview provides application visibility for IT operations and business analytics at
unparalleled scale and performance. Purview is also part of the OneFabric Control
Center suite of network management solutions. By taking advantage of the
OneFabric Connect API, Purview acts as a data broker and can feed application
layer data to other third party applications to use for things such as SIEM, Splunk for
detailed compliance reporting and analytics, and much more.
©2014 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc.
in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks
please see http://www.extremenetworks.com/about-extreme/trademarks.aspx
. Specifications and product availability are subject to change without notice. 6667-0114
WWW.EXTREMENETWORKS.COM
The Purview Solution – White Paper
9