Install the Splunk Add-on for Cisco ASA
This topic provides an overview of installing your add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in.
Where to install this add-on
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of the Splunk platform.
|Splunk platform instance type||Supported||Required||Actions required / Comments|
|Search Heads||Yes||Yes||Install this add-on to all search heads where Cisco ASA knowledge management is required.|
|Indexers||Yes||Conditional||Not required if you use heavy forwarders to collect data. Required if you use universal or light forwarders to collect data.|
|Heavy Forwarders||Yes||See comments||This add-on supports forwarders of any type for data collection.|
|Universal Forwarders||Yes||See comments|
Distributed deployment feature compatibility
This table describes the compatibility of this add-on with Splunk distributed deployment features.
|Distributed deployment feature||Supported||Actions required|
|Search Head Clusters||Yes||You can install this add-on on a search head cluster for all search-time functionality, but configure inputs on forwarders to avoid duplicate data collection. |
Before installing this add-on to a cluster, make the following changes to the add-on package:
|Indexer Clusters||Yes||Before installing this add-on to a cluster, make the following changes to the add-on package:
|Deployment Server||Yes||Supported for deploying the configured add-on to multiple nodes.|
Each add-on differs depending on what it contains:
- Add-ons that contain search-time functionality, such as dashboards, prebuilt panels, saved searches, macros, tags, data models, and lookups, need to be installed on your search heads.
- Add-ons that contain data manipulation functionality, usually in
transforms.conffiles, should be installed on search heads, indexers, and forwarders. This data manipulation can apply at various phases in the data pipeline: parsing, indexing, or search. Unless you are certain of where the data manipulation functions of the add-on occur, install it across all tiers of your architecture.
- Add-ons that contain inputs belong on forwarders, and in some select cases also on search heads. Inputs that contain dynamic lookups need to be installed on search heads because they feed results back into the input directly from the search. Consult the documentation of the add-on for special instructions.
|If the add-on contains:||Dashboards or panels||Search objects||Props and transforms||Inputs|
|It must be installed on search heads||Yes||Yes||Yes||No, except special cases|
|It must be installed on indexers||No||No||Yes||No|
|It must be installed on forwarders||No||No||Yes||No|
For more information about how Splunk Enterprise components correlate to phases in the data pipeline, see "Configuration parameters and the data pipeline" in the Splunk Administration Guide.
Summary of limitations
|Can install manually on||Can install with a
deployment server on
|Can install on a|
Search Head Cluster
|Add-on collects remote data via modular or scripted input||Yes||Yes||Yes||Yes||No||See notes*|
|Add-on uses credential management||Yes||Yes||Yes||Yes||No||See notes**|
* You can install add-ons on a search head cluster for all search-time functionality, but inputs should be configured on a forwarder to avoid duplicate data collection.
** Add-ons that use credential management can be installed on a search head cluster only in one of these circumstances:
- You are using Splunk platform 6.3.X or later.
- You are using Splunk platform 6.2.X, and the credentials are not required on the search heads. If credentials are required only for data collection, set up a forwarder to handle the inputs and configure the credentials on that node. Some add-ons do require the search heads to communicate directly with a third-party system using stored credentials. These add-ons are not supported on search head clusters in 6.2.X.
Installation and configuration overview for the Splunk Add-on for Cisco ASA
Configure system logging
This documentation applies to the following versions of Splunk® Supported Add-ons: released, released