Splunk® Enterprise

Add Symantec Endpoint Protection data: Distributed deployment with indexer clustering

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Install the Splunk Add-on for SEP onto your indexer cluster

Follow these instructions to install an add-on on clustered indexers in a distributed Splunk Enterprise deployment:

You must use the master node to deploy add-ons to the peer nodes. Do not use a deployment server or any third party deployment tool.

Modify the configuration files

Make the following edits to the files you want to distribute to the peers:

  1. Inspect the add-on for indexes.conf files. For each index defined in an add-on-specific indexes.conf file, set repFactor=auto so that the index gets replicated across all peers.
  2. Place the add-on in the master-apps directory on the master node.

Use Splunk Web to validate the bundle and check restart

To use Splunk Web to validate the bundle and check restart, complete the following steps:

  1. On the master node, in Splunk Web, click Settings > Indexer Clustering.
    The Master Node dashboard opens.
  2. Click Edit > Configuration Bundle Actions.
  3. Click Validate and Check Restart > Validate and Check Restart.
    A message appears that indicates bundle validation and whether check restart succeeds or fails. You can distribute the bundle from the master to the peer nodes using either Splunk Web or the CLI.<
    If validation and check restart fails, then the bundle is not acceptable for distribution to the peers. In this case, review the bundle details for information that might help you troubleshoot the issue. Make sure that the configuration bundle structure is correct for distribution to peer nodes.

Use Splunk Web to apply the bundle to the peer nodes

To apply the configuration bundle to the peer nodes, complete the following steps:

  1. On the master node, in Splunk Web, click Settings > Indexer clustering.
    The Master Node dashboard appears.
  2. Click Edit > Configuration Bundle Actions.
    The configuration bundle actions dashboard opens, showing information on the last successful bundle push.
  3. Click Push.
    A pop-up window warns you that the distribution might, under certain circumstances, initiate a restart of all peer nodes.
  4. Click Push Changes.
    The screen provides information on the distribution progress. Once the distribution completes or aborts, the screen indicates the result.
    • In the case of a successful distribution, after each peer successfully validates the bundle, the master coordinates a rolling restart of all the peer nodes, if necessary.
    • In the case of an aborted distribution, it indicates which peers could not receive the distribution. Each peer must successfully receive and apply the distribution. If any peer is unsuccessful, none of the peers will apply the bundle.

    When the push is successful, the peers use their new set of configurations, now located in their local $SPLUNK_HOME/etc/slave-apps.

    Leave the files in $SPLUNK_HOME/etc/slave-apps.

Use Splunk Web to view the status of the bundle push

Once an app has been distributed to the set of peers, you launch and manage it on each peer with Splunk Web.

The apply cluster-bundle command takes an optional flag, --skip-validation, for use in cases where a problem exists in the validation process. You should only use this flag under the direction of Splunk Support and after ascertaining that the bundle is valid. Do not use this flag to circumvent the validation process unless you know what you are doing.

You can also validate the bundle without applying it. This is useful for debugging some validation issues.

Last modified on 07 December, 2018
Install the Splunk Add-on for Symantec Endpoint Protection on your search heads   Configure the Symantec Endpoint Protection Manager to export your log data

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters