Related Answers
Download topic as PDF
Install the Splunk Add-on for Microsoft Security
Use the tables in this topic to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise. See the installation walkthrough at the end of this topic for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.
Where to install this add-on for a distributed deployment
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. This table provides a quick reference for installing this add-on to a distributed deployment of Splunk Enterprise.
| Splunk instance type | Supported | Required | Comments |
|---|---|---|---|
| Search Heads | Yes | Yes | This add-on contains search-time knowledge. If possible, turn off visibility on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of, or in addition to, on your data collection node. |
| Indexers | Yes | No | Not required because the parsing operations occur on the forwarders. |
| Heavy Forwarders | Yes | No | Recommended. Install this add-on on a heavy forwarder for data collection. To avoid duplicates, configure data collection in a single location. |
| Universal Forwarders | No | No | Universal forwarders are not supported for data collection because the modular inputs require Python and the Splunk REST handler. |
Installation walkthrough
See "Installing add-ons" in Splunk Add-Ons for detailed instructions describing how to install a Splunk add-on in the following deployment scenarios:
|
PREVIOUS Installation and configuration overview for the Splunk Add-on for Microsoft Security |
NEXT Migrate and upgrade the Splunk add-on for Microsoft Security |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!