Splunk Enterprise deployment planning

The Splunk App for Enterprise Security is installed into a Splunk Enterprise environment. Depending upon the search load and volume of data being processed, there are several architectures to be considered.

Common deployment architectures

This topic covers how to install the Splunk App for Enterprise Security in the following existing deployment architectures:

• Single-server deployment
• Distributed search deployment

The recommended deployment architectures have the following components:

• Search head: A Splunk Enterprise instance that is the central location for Splunk apps and search knowledge, hosting the users, and providing authentication and authorization. The search head also manages and directs search requests to the few or many indexers. The Splunk App for Enterprise Security must be installed on its own search head.
• Indexer: A Splunk Enterprise instance that processes search requests from search heads. The indexer also accepts incoming data streams from forwarders, transforms them into events, and writes the results into indexes.
• Forwarders: A lightweight Splunk Enterprise instance that obtains and forwards data to the indexers. Forwarders are designed to load balance the data streams between indexers.

Single server deployments

For simple deployments, you can use a single server with Splunk for Enterprise Security installed. A single-server instance serves as both a search head and indexer, accepting direct data streams along with storing and searching the data. This configuration is commonly used for a lab or test environment, and can support one or two users running concurrent searches. See the Indexers topic for additional storage requirements.

To get data from servers and applications, Splunk recommends using forwarders on the nodes hosting the data.

Distributed search deployments

For Splunk for Enterprise Security, a three-tier Splunk deployment is recommended. A dedicated search head will manage search initiation, user interface, and user management, while multiple indexers will allow Splunk to improve search performance by distributing the workload of searching data. Multiple indexers also allows for distributing the forwarders incoming data streams, and the workload of processing those streams.

See Indexers in this topic for scaling recommendations. To review critical details in determining scale and the hardware required, see Hardware capacity planning for a distributed Splunk Enterprise deployment.

To get data from servers and applications, Splunk recommends using forwarders on the nodes hosting the data.

Splunk Enterprise system requirements

The Splunk App for Enterprise Security 3.1 requires Splunk Enterprise version 6.1.3 or 6.2.x on all search heads and indexers.

See System Requirements in the Splunk Enterprise Installation manual for the list of supported OS's, browsers, and file systems.

Note: Configuring Splunk Enterprise on a *nix OS requires a review of the ulimit settings. See Considerations regarding file descriptor limits (FDs) on *nix systems in the Splunk Enterprise Installation manual.

Search Head

• The Splunk App for Enterprise Security must be installed on its own search head. Only CIM compatible add-ons should be installed with the Enterprise Security app.

• The Splunk App for Enterprise Security 3.0 and later changed all real-time searches to use indexed real-time to improve indexing performance. See About real-time searches and reports in the Search manual for more information. If the configuration is reverted to use real-time searches, it will impact indexing capacity. To review the performance implications, see the known limitations of real-time searches topic.

CPU support

• An Enterprise Security search head requires a minimum of 16 CPU cores. Additional cores will be necessary depending on search concurrency, search type, and number of users. See Reference Hardware: Dedicated search head topic in the Distributed Deployment manual for the latest requirements for Splunk Enterprise.

• SPARC platform support is a deprecated feature, is untested, and not recommended.

Memory

• An Enterprise Security search head requires a minimum of 16GB of RAM. Additional memory will be necessary depending on search concurrency, the number of correlation searches enabled, and the size of the asset and identity tables referenced by the Enterprise Security app.

Forward search head data to indexers

• This deployment architecture is used in larger environments where the data volumes are higher and the summary indexes are expected to be larger. The search head must be configured to send all data generated locally to the indexers. See how to "forward search head data to the indexer layer" in the Distributed Search manual. This configuration is also required to implement search head pooling.

Search head pooling

• The Splunk App for Enterprise Security supports search head pooling. Search head pooling adds the potential for conflicts with other Splunk apps and has significant performance considerations. Please review the "Search head pooling configuration issues" topic in the Distributed Search manual if you are planning to implement a search head pool.

• See "Overview of search head pooling" in the Splunk core documentation for more information on search head pooling and implementation issues.

Indexers

• Indexing is an I/O-intensive process. The indexers require sufficient disk I/O to ingest data and respond to search requests. See Reference Hardware: Indexer topic in the Distributed Deployment manual for the latest IOPS requirements for Splunk Enterprise.

• Splunk scales horizontally through the use of indexers. The number of indexers required in a deployment is dependent on the data volume, retention requirements, search type, and search concurrency. The Splunk App for Enterprise Security indexer scaling recommendation is one indexer per 100GB of indexed data volume per day.

Data volume (GB/day)	100	300	500	1000	2000
Required Indexer count with one Enterprise Security search head.	1	3	5	10	20

• Indexers can serve more than one search head. Additional search heads will impact the performance of the indexers, and as a result the resources available to the Enterprise Security search head will be reduced. Increase the number of indexers to scale with the increase in search load and search concurrency.

Indexes

• A new index was created to support the Risk Analysis feature. Customers that maintain a custom app to deploy indexes, and forward search head data to the indexers must create the risk index. See the Indexes topic in this manual.

Clustering

• The Splunk App for Enterprise Security supports both single site and multisite cluster architectures. See The basics of cluster architecture and Multisite cluster architecture in the Managing Indexers and Clusters manual

• A single site or multisite cluster architecture can have one search head or search head pool with a running instance of the Splunk App for Enterprise Security. Any other search heads cannot run the Enterprise Security app.

• Using the clustering feature changes the way you must deploy apps and configuration files to the indexer peer nodes. See Manage common configurations across all cluster peers and Manage app deployment across all cluster peers in the Managing Indexers and Clusters manual.

Data models

• The Splunk App for Enterprise Security 3.0 and later makes extensive use of accelerated data models. Data model acceleration uses the indexers for storage, with the data models being stored alongside each index. Calculate the additional storage needed on the indexers based on the total volume of data using the formula:

Accelerated data model storage/year = Data volume per day * 3.4

This formula assumes you are using the recommended retention rates for the accelerated data models.

Example: If you are processing 100GB/day of data volume for use with Enterprise Security, you will need approximately 340GB more space available across all of the indexers to allow for up to 1 year of data model retention and source retention.

• Data model acceleration storage is not calculated with index sizing for maintenance tasks such as free space calculations and bucket rolling. The storage path is managed independently of index settings. See Datamodels in this manual.

• Splunk Enterprise 6.1 has new configuration parameters for data model acceleration tasks. See Advanced configurations for persistently accelerated data models in the Knowledge Manager manual.

Deployment server

The Splunk deployment server is used to deploy Splunk apps to nodes within the Splunk Enterprise environment. It is most often used to deploy add-ons, or TA's to forwarders and indexers for distributing index-time knowledge.

• The Splunk App for Enterprise Security includes a set of sample apps to provide examples of basic configurations to be deployed to forwarders and indexers using the deployment server. The sample apps are available in an archive file contained in the Enterprise Security Install App. You will need server access to unzip the archive where the sample apps are stored.

1. Unzip this file: SplunkEnterpriseSecuritySuiteInstaller/default/src/splunk_app_es-*.zip.
2. After unzipping, the deployment-apps can be found at: SplunkEnterpriseSecuritySuiteInstaller/default/src/etc/deployment-apps.

• See About deployment server and forwarder management in the Updating Splunk Enterprise Instances manual for more information about the deployment server.

Virtualized hardware

• Installing the Splunk App for Enterprise Security in a virtualized environment requires the same memory and CPU allocation as an installation in a non-virtualized, bare-metal environment. All CPU and memory resources must be explicitly reserved, with no oversubscription of hardware.

• The storage IOPS must be tested simultaneously across all Splunk Enterprise nodes, and the results from every node must conform to the Reference Hardware IOPS specified in the Distributed Deployment manual.

• For specific VMware configuration details, download and review the technical brief: Deploying Splunk Inside Virtual Environments: Configuring VMware Virtual Machines to Run Splunk under Resources.

Using the Splunk App for Enterprise Security with other apps

• The Splunk App for Enterprise Security relies heavily on the knowledge supplied in the add-ons. These add-ons or TA's specify the complex processing necessary to optimize, normalize, and categorize your IT security data for use with the Common Information Model and the Enterprise Security app. Splunk apps that are compatible with the Splunk App for Enterprise Security will be documented on the Splunk Apps as CIM compliant or CIM compatible.

• Splunk Apps and other add-ons that have been developed separately from Enterprise Security often include data knowledge that has not been normalized for the CIM, and could prevent the proper functioning of the Enterprise Security searches and dashboards that rely on those fields.