Install the Splunk Security App for SAP solutions

You can install the Splunk Security App for SAP^® solutions on Splunk Enterprise or Splunk Cloud Platform. Follow the steps according to your preferred installation location.

This app runs on the Splunk platform. The following system requirements apply for the Splunk software you use to run the Splunk Security App for SAP solutions:

• If you plan to run this app in an on-premises deployment of the Splunk Enterprise, see System requirements for use of Splunk Enterprise on-premises in the Splunk Enterprise Installation Manual.
• If you plan to run this app in Splunk Cloud Platform only, install the app on the search head. For more information, see Where to install Splunk add-ons in the Splunk Add-ons manual.

Install on a single instance of Splunk Enterprise

If your Splunk Enterprise deployment is a single instance, install both the app and the add-on to your single instance. You can install both packages on Splunk Web by selecting Install app from file on the Manage Apps page, or install the packages manually using the command line.

After you install the app and add-on, you can create indexes the app can use to report on configured saved searches. For more information, see Schedule reports in the Splunk Enterprise Reporting Manual.

Install on a non-clustered distributed Splunk Enterprise environment

If your Splunk Enterprise deployment is distributed and non-clustered, follow these steps:

1. Install the app and add-on on your search heads.
2. Turn off visibility for the add-on on your search heads.
3. Configure the search head tier to directly forward data to the indexer tier.
4. Install the add-on to heavy forwarders.

Install the app and the add-on on your search heads

If you are installing the app or add-on on one or more independent search heads, follow your preferred method of deploying both the app and the add-on. Choose from the following options:

• Select Install app from file on the Manage Apps page in Splunk Web.
• Install the packages manually using the command line.
• Use a deployment server to deploy the unconfigured packages to your search heads. Do not configure the app or add-on prior to deploying it or your configurations get overwritten.

Turn off visibility for the add-on on your search heads

After you deploy the app and the add-on to your search heads, turn off the visibility for the add-on on each search head. Turning off visibility helps prevent data duplication errors that can result from running inputs on your search heads instead of or in addition to on your data collection node.

1. Go to Apps > Manage Apps.
2. Find the Splunk Security Add-on for SAP solutions with the folder name splunk_ta_sap_etd_alerts in the list, and select Edit properties.
3. Under Visible, select the radio button for No.
4. Select Save.
5. Repeat these steps on all search heads.

Configure the search head tier to directly forward data to the indexer tier

1. Create an outputs.conf file based on the following the example:

   [indexAndForward]
   index = false  # Turn off indexing on the search head
   
   [tcpout]
   defaultGroup = my_search_peers  # Name of the search peer group
   forwardedindex.filter.disable = true
   indexAndForward = false 
   
   [tcpout:my_search_peers]
   server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997  # list of peers
   

2. Place the outputs.conf file in $SPLUNK_HOME/etc/apps/splunk_ta_sap_etd_alerts/local on the search head.
3. Restart the search head.

You can now distribute the summary index configurations to the indexer. See Use summary indexing for increased search efficiency in the Splunk Enterprise Knowledge Manager Manual.

Install the add-on to heavy forwarders

Follow your preferred method of deploying the Splunk Security Add-on for SAP solutions to one or more heavy forwarders.

Choose from the following options:

• Follow the Install app from file guided setup on Manage Apps in Splunk Web.
• Install manually using the command line.
• Use a deployment server to deploy the unconfigured packages to your forwarders. Do not configure the app or add-on prior to deploying it.

The add-on does not support universal forwarders or light forwarders because the configuration logic handled by the add-on requires Python. In addition, to configure SAP accounts in the add-on, you must do so using the add-on configuration UI in Splunk Web rather than in the configuration files.

Install in a clustered distributed Splunk Enterprise environment

To accelerate reporting, the Splunk Security App for SAP solutions uses summary indexing that builds separate summary indexes on the search head. If you are deploying the Splunk Security App for SAP solutions in a clustered environment, you must distribute the summary index configuration bundle across all the clustered indexers, and configure your individual or clustered search heads to directly forward data to the indexer tier so that the data summary gets shared across all the search heads.

Perform the following steps:

1. Install the app and the add-on on your search head cluster.
2. Turn off visibility for the add-on on your search heads.
3. Configure the search head tier to directly forward data to the indexer tier.
4. Install the add-on to heavy forwarders.

Install the app and the add-on on search head cluster

Install the app and the add-on using the deployer. See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.

To prepare the app and add-on for deployment in a search head cluster, you must remove some files to prevent validation errors on startup. On the deployer, remove the inputs.conf and inputs.conf.spec file from the add-on folder at $SPLUNK_HOME/etc/shcluster/apps/splunk_ta_sap_etd_alerts/default.

Turn off visibility for the add-on on your search heads

To turn off visibility for the add-on, follow these steps to update the app.conf file:

1. On the deployer, create an app.conf file in the folder $SPLUNK_HOME/etc/shcluster/apps/splunk_ta_sap_etd_alerts/local.
2. Edit the local/app.conf file.
3. Set the is_visible setting to false: [ui] is_visible = false

Configure the search head tier to directly forward data to the indexer tier

1. Create an outputs.conf file based on the following example:

   [indexAndForward]
   index = false  # Turn off indexing on the search head
   
   [tcpout]
   defaultGroup = my_search_peers  # Name of the search peer group
   forwardedindex.filter.disable = true
   indexAndForward = false 
   
   [tcpout:my_search_peers]
   server=10.10.10.1:9997,10.10.10.2:9997,10.10.10.3:9997  # list of peers
   

2. If you use clustered search heads, place the outputs.conf file in $SPLUNK_HOME/etc/shcluster/apps/splunk_app_sap_etd_alerts/local and run the splunk apply shcluster-bundle command on the deployer to push the configuration bundle to peers. If you use multiple independent search heads, place the outputs.conf file under $SPLUNK_HOME/etc/apps/splunk_app_sap_etd_alerts/local on all the search heads.
3. Restart the search head instances.

You can now distribute the summary index configurations to the indexer. See Use summary indexing for increased search efficiency in the Splunk Enterprise Knowledge Manager Manual.

Install the add-on to heavy forwarders

Follow your preferred method of deploying the Splunk Security Add-on for SAP solutions to one or more heavy forwarders.

Choose from the following options:

• Follow the Install app from file guided setup on Manage Apps in Splunk Web.
• Install manually using the command line.
• Use a deployment server to deploy the unconfigured packages to your forwarders. Do not configure the app or add-on prior to deploying it.

The add-on does not support universal forwarders or light forwarders because the configuration logic handled by the add-on requires Python. In addition, to configure SAP accounts in the add-on, you must do so using the add-on configuration UI in Splunk Web rather than in the configuration files.

Install on Splunk Cloud Platform

Follow the instructions that match the type of Splunk Cloud Platform deployment you have:

• Install on self-service Splunk Cloud Platform
• Install on managed Splunk Cloud Platform

To determine whether you're on a managed or self-service Splunk Cloud Platform, see Splunk Cloud Platform deployment types in the Splunk Cloud Platform Admin Manual.

Install on self-service Splunk Cloud Platform

1. In Splunk Cloud Platform, go to the home screen.
2. Select the gear icon next to Apps in the navigation bar to open the Manage Apps page.
3. Find the Splunk Security App for SAP solutions in your list of installed apps. The latest version has the folder name splunk_app_sap_etd_alerts and the version number 1.0.0.
4. If you do not have a supported version of the Splunk Security App for SAP solutions in your app list, follow these steps:
   1. Select Browse more apps.
   2. In the search bar, enter SAP and find Splunk Security App for SAP solutions in the results.
   3. Select Install free.
   4. Follow the guided setup to install the app.
5. Find the Splunk Security Add-on for SAP solutions in the app list on the Manage Apps page. This add-on has the folder name splunk_app_sap_etd_alerts and the version number 1.0.0. You need both the app and the add-on installed. If the add-on appears in the list, check the version number.
   1. If you do not see the Splunk Security Add-on for SAP solutions listed, it might not be installed. Contact Splunk Support to obtain entitlement license assistance for the add-on..
   2. If the add-on is turned off, select Enable under the Status column to turn it on.

Install on managed Splunk Cloud Platform

To install or upgrade the app to the latest version, contact Splunk Support for assistance. Splunk Support can install the correct version of the app and its dependencies and assist you with any migration tasks.