Splunk Enterprise deployment planning
The Splunk App for Enterprise Security is installed into a Splunk Enterprise environment. Depending upon the search load and volume of data being processed, you have several architectures to consider.
Common deployment architectures
This topic covers how to integrate the Splunk App for Enterprise Security in the following existing deployment architectures:
- Single-server deployment
- Distributed search deployment
The recommended deployment architectures have the components:
|Search head||A Splunk Enterprise instance that is the central location for Splunk apps and search knowledge, hosting the users, and providing authentication and authorization. The search head also manages and directs search requests to the few or many indexers. The Splunk App for Enterprise Security must be installed on its own search head.|
|Indexer||A Splunk Enterprise instance that processes search requests from search heads. The indexer also accepts incoming data streams from forwarders, transforms the stream into events, and writes the events into indexes.|
|Forwarders||A lightweight Splunk Enterprise instance that obtains and streams data to the indexers. Forwarders are designed to load balance the data streams between indexers.|
For simple deployments, use a single server with the Splunk App for Enterprise Security installed. A single-server instance serves both the search head and indexer roles, accepting data streams from forwarders along with storing and searching the data. A single-server Splunk Enterprise configuration is commonly used for a lab or test environment, and supports one or two users running concurrent searches. For more information about storage requirements and the Enterprise Security app, see "Indexers" in this topic.
Whenever possible, use forwarders for data collection.
Distributed search deployments
A distributed Splunk Enterprise deployment is recommended when running the Splunk App for Enterprise Security. A dedicated search head or search cluster for the Enterprise Security app provides the user interface and search management. A set of indexers provides improved search performance by distributing the workload of searching data. Having multiple indexers also allows for distributing the forwarders incoming data streams, and the workload of processing those streams.
For scaling recommendations, see "Indexers" in this topic . To review critical details in determining scale and the hardware required, see "Introduction to capacity planning for Splunk Enterprise" in the Capacity Planning Manual.
Whenever possible, use forwarders for data collection.
Splunk Enterprise system requirements
The Splunk App for Enterprise Security 3.3.1 requires Splunk Enterprise version 6.2.3 or 6.3.x and a 64-bit OS install on all search heads and indexers.
For the list of supported OS's, browsers, and file systems, see "System Requirements" in the Splunk Enterprise Installation Manual.
Note Configuring Splunk Enterprise on a *nix OS requires a review of the ulimit settings. See "Considerations regarding file descriptor limits (FDs) on *nix systems" in the Splunk Enterprise Installation Manual.
Install the Splunk App for Enterprise Security on its own search head. Install only CIM compatible add-ons with the Enterprise Security app.
The Splunk App for Enterprise Security 3.0 and later changed all real-time searches to use indexed real-time searches for improved indexing performance. For more information, see "About real-time searches and reports" in the Search Manual. If the configuration is reverted to use real-time searches, the overall indexing capacity will be reduced. To review the performance implications, see "Known limitations of real-time searches" in the Search Manual.
An Enterprise Security search head requires a minimum of 16 CPU cores. Additional cores are necessary depending on search concurrency, search type, and number of users. For the latest reference hardware requirements for Splunk Enterprise, see "Reference Hardware: Dedicated search head" in the Capacity Planning Manual
Note: SPARC platform support is a deprecated feature, and cannot be used with the Enterprise Security app.
An Enterprise Security search head requires a minimum of 16GB of RAM. Add more memory to address search concurrency, the number of correlation searches enabled, and the size of the asset and identity tables referenced by the Enterprise Security app.
Forward search head data to indexers
In a distributed search deployment, configure the search head to forward all data to the indexers. See "Forward search head data to the indexer layer" in the Distributed Search manual. This configuration is required to implement search head pooling or search head clustering.
Search head pooling
Note: Search head pooling is a deprecated feature of Splunk Enterprise 6.2. See "Features deprecated" in the Splunk Enterprise Release Notes Manual.
The Splunk App for Enterprise Security supports search head pooling. Install only CIM compatible apps or add-ons with the Enterprise Security app in a search head pool.
Search head pooling has significant performance considerations. If you are planning to implement a search head pool, see "Search head pooling configuration issues" in the Distributed Search Manual.
For information about search head pooling and implementation issues, see "Overview of search head pooling" in the Distributed Search Manual.
Search head clustering
The Splunk App for Enterprise Security supports installation on a search head cluster. For an overview of the changes to the Enterprise Security app when running on a cluster of search heads, see the "Search Head Clustering" topic in this manual.
The Splunk App for Enterprise Security requires the KV Store feature. For more information about KV Store, including the system requirements, see "About the app key value store" in the Splunk Enterprise Admin Manual.
Indexing is an I/O-intensive process. The indexers require sufficient disk I/O to ingest data and respond to search requests. For the latest IOPS requirements to run Splunk Enterprise, see "Reference Hardware: Indexer" in the Capacity Planning Manual.
Splunk Enterprise scales horizontally through the use of indexers. The number of indexers required in a deployment is dependent on the data volume, retention requirements, search type, and search concurrency. The Splunk App for Enterprise Security indexer scaling recommendation is one indexer per 100GB of indexed data volume per day.
Data volume (GB/day) 100 300 500 1000 2000 Required Indexer count with one Enterprise Security search head. 1 3 5 10 20
These recommendations are based on tests with 15 correlation searches enabled. More correlation searches typically require more indexers.
Indexers can serve more than one search head. Additional, non-Enterprise Security search heads impact the performance of the indexers, and as a result the resources available to the Enterprise Security search infrastructure is reduced. Increase the number of indexers to scale with the increase in search load and search concurrency.
For more information about the indexes required for the Splunk App for Enterprise Security, see "Indexes" in this manual.
The Splunk App for Enterprise Security supports both single site and multisite cluster architectures. See "The basics of cluster architecture" and "Multisite cluster architecture" in the Managing Indexers and Clusters Manual.
A single site or multisite cluster architecture can have one search head, search head pool, or search head cluster with a running instance of the Splunk App for Enterprise Security. Additional, single instance search heads cannot run the Enterprise Security app.
Using the clustering feature changes the way you must deploy apps and configuration files to the indexer peer nodes. See "Manage common configurations across all cluster peers" and "Manage app deployment across all cluster peers" in the Managing Indexers and Clusters Manual.
The Splunk App for Enterprise Security 3.0 and later uses accelerated data models. Data model acceleration uses the indexers for processing and storage, with the contents being stored alongside each index. To calculate the additional storage needed on the indexers based on the total volume of data, use the formula:
- Accelerated data model storage/year = Data volume per day * 3.4
- This formula assumes that you are using the recommended retention rates for the accelerated data models.
- Example: If you process 100GB/day of data volume for use with Enterprise Security, you need approximately 340GB more space available across all of the indexers to allow for up to one year of data model retention and source retention.
The storage used for data model acceleration is not added to index sizing calculations for maintenance tasks such as bucket rolling and free space checks. For additional information, see "Data model acceleration storage and retention" in this manual.
Splunk Enterprise 6.1 and later implements new configuration parameters for data model acceleration tasks. See "Advanced configurations for persistently accelerated data models" in the Knowledge Manager Manual.
The Splunk deployment server deploys Splunk apps to nodes within the Splunk Enterprise environment. You use it to deploy add-ons or TA's to forwarders and indexers for distributing index-time knowledge.
The use of the Splunk Enterprise search head or indexer clustering features changes the method used to deploy apps and configuration files. Do not use deployment server to deploy directly to cluster members. Each clustered tier, search heads and indexers, has their own configuration methodology and tool.
The Splunk App for Enterprise Security includes a set of sample apps to provide examples of basic configurations to deploy to forwarders and indexers. The sample apps are available in an archive file contained in the Enterprise Security Install App. You need server access to unzip the archive where the sample apps are stored.
- Unzip this file:
- Find the deployment-apps at:
See "About deployment server and forwarder management" in the Updating Splunk Enterprise Instances Manual for information about the deployment server.
Installing the Splunk App for Enterprise Security in a virtualized environment requires the same memory and CPU allocation as an installation in a non-virtualized, bare-metal environment. You must reserve all CPU and memory resources, with no oversubscription of hardware.
In a virtualized environment, test the storage IOPS simultaneously across all Splunk Enterprise nodes. The results from every node must conform to the "Reference Hardware" IOPS specified in the Capacity Planning Manual.
For explicit VMware configuration details, download and review the technical brief: "Deploying Splunk Inside Virtual Environments: Configuring VMware Virtual Machines to Run Splunk" available in "Splunk Resources".
The Splunk App for Enterprise Security is available as a SaaS environment on Splunk Cloud. For more information on Splunk Cloud services, see the Splunk Cloud Products page.
Distributed Management Console
If the DMC is enabled on an ES search head, it must remain in a standalone mode. For more information on when and how to configure the DMC for use in a distributed environment, see "Which instance should host the distributed management console?" in the Splunk Enterprise Admin Manual.
Using the Splunk App for Enterprise Security with other apps
The Splunk App for Enterprise Security relies on the knowledge supplied through add-ons. The add-ons define the event processing necessary to optimize, normalize, and categorize your IT security data for use with the Common Information Model and the Enterprise Security app. Apps that are compatible with the Splunk App for Enterprise Security are documented as CIM compliant or CIM compatible.
Splunk apps and other add-ons that have been developed separately from Enterprise Security often include data knowledge that has not been normalized for the CIM, and might prevent the proper functioning of the Enterprise Security searches and dashboards that rely on those fields.
Learn More and how to get help
Plan your data inputs
This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.1