Install the Splunk Add-on for Check Point OPSEC LEA
- Get the Splunk Add-on for Check Point OPSEC LEA by downloading it from https://splunkbase.splunk.com/app/3197 or browsing to it using the app browser within Splunk Web.
- Determine where and how to install this add-on in your deployment, using the tables on this page.
- Perform any prerequisite steps before installing, if required and specified in the tables below.
- Complete your installation.
Use the tables below to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.
Where to install this add-on
Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.
Note: Linux (RHEL/CentOS 5.x, 6.x, or 7.x) is required for forwarders but search heads and indexers are platform independent.
|Splunk instance type||Supported||Required||Comments|
|Search Heads||Yes||Yes||Install this add-on to all search heads where Check Point OPSEC LEA knowledge management is required. Splunk recommends that you turn the Visible setting off for the add-on on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) your data collection node.|
|Indexers||Yes||Conditional||This add-on does not need to be installed on indexers if it is installed on a heavy forwarder.|
|Heavy Forwarders||Yes||See comments||Install this add-on on either a heavy or light forwarder for data collection. Because this add-on retains state and checkpoint locally on the data ingestion node, the forwarder needs to be backed up.|
|Universal Forwarders||No||No||The universal forwarder is not supported because this add-on requires Python.|
|Light Forwarders||Yes||See comments||Install this add-on on either a heavy or light forwarder for data collection. If installed on a light forwarder, the add-on must also be installed on your indexers. Because this add-on retains state and checkpoint locally on the data ingestion node, the forwarder needs to be backed up.|
Distributed deployment feature compatibility
This table describes the compatibility of this add-on with Splunk distributed deployment features.
|Distributed deployment feature||Supported||Comments|
|Search Head Clusters||Yes|
|Indexer Clusters||Yes||Before installing this add-on to an Indexer cluster, remove the |
|Deployment Server||No||This add-on does not support installation or configuration via Deployment Server. This add-on retains state and checkpoint locally on the data ingestion node. For this reason, you cannot use a deployment server because of potential for duplication by running on multiple forwarders.|
The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.
For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:
Installation and configuration overview for the Splunk Add-on for Check Point OPSEC LEA
Upgrade the Splunk Add-on for Check Point OPSEC LEA
This documentation applies to the following versions of Splunk® Supported Add-ons: released