Splunk® Supported Add-ons

Splunk Add-on for Cisco ASA

Download manual as PDF

Download topic as PDF

Install the Splunk Add-on for Cisco ASA

This topic provides an overview of installing your add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in.

Where to install this add-on

Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.

This table provides a reference for installing this specific add-on to a distributed deployment of the Splunk platform.

Splunk platform instance type Supported Required Actions required / Comments
Search Heads Yes Yes Install this add-on to all search heads where Cisco ASA knowledge management is required.
Indexers Yes Conditional Not required if you use heavy forwarders to collect data. Required if you use universal or light forwarders to collect data.
Heavy Forwarders Yes See comments This add-on supports forwarders of any type for data collection.
Universal Forwarders Yes See comments

Distributed deployment feature compatibility

This table describes the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature Supported Actions required
Search Head Clusters Yes You can install this add-on on a search head cluster for all search-time functionality, but configure inputs on forwarders to avoid duplicate data collection.
Before installing this add-on to a cluster, make the following changes to the add-on package:
  1. Remove the eventgen.conf files and all files in the samples folder.
  2. Remove the inputs.conf file.
Indexer Clusters Yes Before installing this add-on to a cluster, make the following changes to the add-on package:
  1. Remove the eventgen.conf files and all files in the samples folder
  2. Remove the inputs.conf file.
Deployment Server Yes Supported for deploying the configured add-on to multiple nodes.

Advanced information

Each add-on differs depending on what it contains:

  • Add-ons that contain search-time functionality, such as dashboards, prebuilt panels, saved searches, macros, tags, data models, and lookups, need to be installed on your search heads.
  • Add-ons that contain data manipulation functionality, usually in props.conf and transforms.conf files, should be installed on search heads, indexers, and forwarders. This data manipulation can apply at various phases in the data pipeline: parsing, indexing, or search. Unless you are certain of where the data manipulation functions of the add-on occur, install it across all tiers of your architecture.
  • Add-ons that contain inputs belong on forwarders, and in some select cases also on search heads. Inputs that contain dynamic lookups need to be installed on search heads because they feed results back into the input directly from the search. Consult the documentation of the add-on for special instructions.

Install add-ons to all tiers.png

If the add-on contains: Dashboards or panels Search objects Props and transforms Inputs
It must be installed on search heads Yes Yes Yes No, except special cases
It must be installed on indexers No No Yes No
It must be installed on forwarders No No Yes No

For more information about how Splunk Enterprise components correlate to phases in the data pipeline, see "Configuration parameters and the data pipeline" in the Splunk Administration Guide.

Summary of limitations

Can install manually on Can install with a
deployment server on
Can install on a
Search Head Cluster
Search heads Indexers Forwarders Indexers Forwarders
Add-on collects remote data via modular or scripted input Yes Yes Yes Yes No See notes*
Add-on uses credential management Yes Yes Yes Yes No See notes**

* You can install add-ons on a search head cluster for all search-time functionality, but inputs should be configured on a forwarder to avoid duplicate data collection.

** Add-ons that use credential management can be installed on a search head cluster only in one of these circumstances:

  • You are using Splunk platform 6.3.X or later.
  • You are using Splunk platform 6.2.X, and the credentials are not required on the search heads. If credentials are required only for data collection, set up a forwarder to handle the inputs and configure the credentials on that node. Some add-ons do require the search heads to communicate directly with a third-party system using stored credentials. These add-ons are not supported on search head clusters in 6.2.X.
Last modified on 29 June, 2020
PREVIOUS
Installation and configuration overview for the Splunk Add-on for Cisco ASA
  NEXT
Configure system logging

This documentation applies to the following versions of Splunk® Supported Add-ons: released, released


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters