Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Install Enterprise Security

This topic describes installing an on-premises search head with Splunk Enterprise Security.

Splunk Enterprise Security prerequisites

To view the platform requirements for Splunk Enterprise Security, see Deployment planning in this manual. For an overview of the data sources and collection considerations for ES, see Data source planning in this manual.

Step 1. Download Splunk Enterprise Security

  1. Browse to splunk.com and log in with your Splunk.com ID. You must be a licensed Enterprise Security customer to download the product.
  2. Download the latest Splunk Enterprise Security product.
  3. Choose Download, and save the Splunk Enterprise Security product file to your desktop.
  4. Log in to the search head as an administrator.

Step 2. Install Splunk Enterprise Security

  1. On the Splunk Enterprise search page, browse to Apps > Manage Apps and choose Install App from File.
  2. Select Choose File and browse to the Splunk Enterprise Security product file.
  3. Select Upload to begin the installation.
  4. Select Set up now to begin the ES setup.

Step 3. Set up Splunk Enterprise Security

  1. Select Start.
  2. The Splunk Enterprise Security Post-Install Configuration page indicates the status as it moves through the stages of installation.
  3. Choose to exclude selected add-ons from being installed, or install and disable them. When the setup is done, the page will prompt you to restart Splunk platform services.
  4. Select Restart Splunk to finish the installation.
Note: The installation of Enterprise Security will enable SSL on the search head. You must change the Splunk URL to use https to access the search head after installing ES.

Step 4. Configure Enterprise Security

To continue configuring Splunk Enterprise Security, see the following.

  1. Install and deploy add-ons
  2. Configure and deploy Indexes
  3. Configure users and roles
  4. Configure data models

Installation from a command line

Perform a Splunk Enterprise Security installation using the Splunk software command line. See About the CLI for more about the Splunk software command line.

  1. Follow Step 1: Download Splunk Enterprise Security to download Splunk Enterprise Security and place it on the search head.
  2. Start the installation process on the search head. Follow Step 2: Install Splunk Enterprise Security or perform a REST call to start the installation from the server command line. For example: 
    curl -k -u admin:password https://localhost:8089/services/apps/local -d filename="true" -d name="<filename and directory>" -d update="true" -v
  3. On the search head, use the Splunk software command line to run: 
    splunk search '| testessinstall' -auth admin:password
  4. Review the installation log in: 
    $SPLUNK_HOME/var/log/splunk/essinstaller2.log

Installation on a search head cluster

This topic discusses the clustered search head requirements specific to Enterprise Security, and does not replace the documentation review and testing required to implement search head clustering.

For an overview of search head clustering, see Search head clustering architecture in the Splunk Enterprise Distributed Search Manual.

For a complete list of requirements, see System requirements and other deployment considerations for search head clusters in the Splunk Enterprise Distributed Search Manual.

A staging instance is used to prepare the deployer's copy of Enterprise Security. If you have a clean testing or QA Splunk Enterprise instance in your environment, you may use that instance for staging if no other apps are installed. The instance is used for staging and upgrades only, and should not connect to production indexers or search peers.

  1. Prepare a staging instance.
  2. Install ES on staging.
  3. Migrate the ES install to the deployer by copying all of the apps, SAs, DAs, and TAs associated with the Splunk Enterprise Security Suite from $SPLUNK_HOME/etc/apps on the staging instance to $SPLUNK_HOME/etc/shcluster/apps on the deployer. Do not copy the entire folder, as you should not include any default apps.
  4. Deploy ES to the cluster members using the deployer.

Dashboard changes in a search head cluster

There are several types of configuration changes made on a search head:

  • UI configurations
  • Search-related configurations
  • System configurations.


Create or update UI and search configurations from any member of a search head cluster. Once the change are made, they replicate to the other search cluster members automatically without using the deployer.

Manage system configurations centrally with the deployer. To review which configuration files are replicated between cluster members and which ones must be deployed, see How configuration changes propagate across the search head cluster in the Splunk Enterprise Distributed Search Manual.

Identity Management

Adding or disabling an identities list from Identity Management cannot be done from a search head cluster member or captain. When reviewing the dashboard Configure > Identity Management from any cluster member, the page states: "Current instance is running in SHC mode and is not able to add new inputs.”

New workflow: Configure the new or changed identities list on your Enterprise Security testing or staging environment. After testing the configuration, use the search head cluster deployer to distribute updated configurations and a new lookup file across the search head cluster.

Threat Source Management

Adding or disabling a threat source from Threat Intelligence Manager or Threat Intelligence Downloads cannot be configured from a search head cluster member or captain. When reviewing the dashboard Configure > Data Enrichment > Threat Intelligence Downloads from any cluster member, the page states: "Current instance is running in SHC mode and is not able to add new inputs.”

New workflow: Configure the new or changed threat source on your Enterprise Security testing or staging environment. After testing the configuration, migrate the configuration to the search head cluster deployer and distribute the updated inputs.conf configurations across the search head cluster.

Migrate an existing deployment

An Enterprise Security search head or search head pool member cannot be added directly to a search head cluster. To perform a migration, a new search cluster must be created and deployed with the latest version of Enterprise Security. Once the search head cluster is running ES, any custom configurations from a prior Enterprise Security installation must be manually reviewed and migrated to the deployer for replication to the cluster members.

For more information, see the topic Migrate from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search Manual.

For assistance in planning a Splunk Enterprise Security deployment migration, contact the Splunk Professional Services team.

Last modified on 31 August, 2017
Data source planning   Install and deploy add-ons

This documentation applies to the following versions of Splunk® Enterprise Security: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters