Splunk® App for CEF

Deploy and Use Splunk App for CEF

Download manual as PDF

Download topic as PDF

Hardware and software requirements for the Splunk App for CEF

Platform requirements

The Splunk App for CEF requires Splunk Enterprise running on Linux or Windows. Tested versions for search heads and indexers include CentOS 7 x64 and Windows 2012 R2 x64. Refer to the Performance expectations for the Splunk App for CEF to estimate your sizing requirements.

For more information about other Splunk Enterprise hardware and software requirements, see System Requirements in the Installation Manual in the Splunk Enterprise documentation.

Splunk Enterprise version

The Splunk App for CEF works with Splunk Enterprise 7.2 and later.

KV store requirements

The Splunk App for CEF relies on the Splunk KV Store to store output group definitions. For more information about KV Store, including the system requirements, see About the app key value store in the Splunk Enterprise Admin manual.

Browser compatibility

The Splunk App for CEF is compatible with the same browsers as Splunk Enterprise. See Supported browsers in the Splunk Enterprise Installation Manual for details.

Splunk ACL requirements

The Splunk App for CEF requires the rtsearch, schedule_search and schedule_rtsearch capabilities to configure the searches and distribute the output group configuration to your indexers.

Resource requirements

The Splunk App for CEF requires a distributed Splunk Enterprise environment. During the installation or upgrade process, you install the Splunk App for CEF on a search head to configure the output mapping, then install the Splunk Add-on for CEF Output, which the app creates for you, to your indexers.

See Performance expectations for the Splunk App for CEF for reference information that you can use to size your deployment.

Data models

Deploying the Splunk App for CEF requires you to be familiar with the concept of data models, because using the Splunk App for CEF involves manually mapping attributes from the data model to fields in CEF.

If you have defined your own data models to which you want to map your data, you are ready to use the Splunk App for CEF. If not, consider installing the Splunk Common Information Model (CIM) Add-on, which includes many preconfigured data models.

Last modified on 06 January, 2020
PREVIOUS
Installation and configuration overview for the Splunk App for CEF 		  NEXT
Performance expectations for the Splunk App for CEF

This documentation applies to the following versions of Splunk® App for CEF: 2.2.0, 2.3.0

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters