Network Management

I'm trying to figure out what the best way to export data from AppRF is. Specifically I am interested in the connection data around users, destinations and timestamps (which I don't see available in the AppRF display but assume must be there somewhere to show based on time frame specified). While I see i can configure a syslog server from under the AMP setup page, I think this is more for device connection information and not traffic analytics. 

Ideally I am trying to use this data to map against other security products which also use URL/destination IP and timestamps to identify suspicious traffic. 

We currently send ClearPass data to splunk, but I am looking to enhance this data feed with more firewall/AppRF type data. 

Any suggestions welcome. 

Have you tried to run an AppRF report with details?

I was hoping to do this more of a streaming real time or syslog feed if possible.

Ideally my end goal is to have this data in splunk for correlation. Right now I have other devices that are monitoring network traffic from the controller to the internet, but everything looks as if it is sourced from the controller. I am hoping to get the controller logs to map back the traffic to a specific user and device in closer to real time.

That seems possible in the future, but not in the current implementation.  It would be a feature enhancement request to build an outbound feed to send AppRF data to an external system.  Please submit RFE to the ideas portal on the support site, or discuss with your HPE/Aruba sales team.

Aside from reporting, is there any other way to access the data that is presented in appRF?

There's the main AppRF page, but it doesn't have any export options.  You could also try fetching from the db, but keep in mind there is performance impact for db queries since reads require table locks which affect write actions (read as: not advised, but possible if you do it sparingly - by the sounds of your goal, this is probably not the way to go).  I'm imagining your requirement is similar to customers who like to grab x/y coordinates often from VisualRF, which may mean an API needs to be built to handle the load.  If/When you file an RFE, please include the factors of how often you will poll data, and which elements of the data you're looking to obtain - applications, destinations, users, ip's, etc.

ok thanks. Is there no other place that captures this level of connection information? Even if it is just source/destination IP and end device along with timestamp that would be sufficient for the moment.

Not outside of AppRF and the AppRF report.  There is a small snippet of top applications that shows on user diagnostics page (while they are currently logged in on the network), but it correlates to a time range, not an exact time.