Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install Enterprise Security

This topic describes installing an on-premises search head with Splunk Enterprise Security. Splunk Cloud customers will work with Splunk Support to coordinate access to the Enterprise Security search head.

Splunk Enterprise Security prerequisites

To view the platform requirements for Splunk Enterprise Security, see Deployment planning in this manual. For an overview of the data sources and collection considerations for ES, see Data source planning in this manual.

Step 1. Download Splunk Enterprise Security

  1. Browse to splunk.com and log in with your Splunk.com ID. You must be a licensed Enterprise Security customer to download the product.
  2. Download the latest Splunk Enterprise Security product.
  3. Choose Download, and save the Splunk Enterprise Security product file to your desktop.
  4. Log in to the search head as an administrator.

Step 2. Install Splunk Enterprise Security

  1. On the Splunk Enterprise search page, browse to Apps > Manage Apps and choose Install App from File.
  2. Select Choose File and browse to the Splunk Enterprise Security product file.
  3. Select Upload to begin the installation.
  4. Select Set up now to begin the ES setup.

Step 3. Set up Splunk Enterprise Security

  1. Select Start.
  2. The Splunk Enterprise Security Post-Install Configuration page indicates the status as it moves through the stages of installation.
  3. Choose to exclude selected add-ons from being installed, or install and disable them. When the setup is done, the page will prompt you to restart Splunk platform services.
  4. Select Restart Splunk to finish the installation.

Installing Enterprise Security enables SSL on the search head. You must change the Splunk URL to use https to access the search head after installing ES.

If post-install does not complete, but stops during the enabling add-ons phase with the error of "reenable_apps failed. See search.log for details" then you can change the timeout settings. ES executes the post-install steps, allowing only a certain amount of time to complete. If for any reason the server doesn't finish in time, a timeout is triggered and the installation or upgrade is forced to halt.

  1. From the ES search head, navigate to etc/apps/SplunkEnterpriseSecuritySuite/bin/install/essinstaller2.py.
  2. Go to line #95 and change self.timeout to a larger value, such as 300:
    # Timeout setting for all REST calls

    self.timeout = 300 
  3. Rerun ES setup.

Step 4. Configure Enterprise Security

To continue configuring Splunk Enterprise Security, see the following.

  1. Install and deploy add-ons
  2. Configure and deploy Indexes
  3. Configure users and roles
  4. Configure data models

Installation from a command line

Perform a Splunk Enterprise Security installation using the Splunk software command line. See About the CLI for more about the Splunk software command line.

  1. Follow Step 1: Download Splunk Enterprise Security to download Splunk Enterprise Security and place it on the search head.
  2. Start the installation process on the search head. Follow Step 2: Install Splunk Enterprise Security or perform a REST call to start the installation from the server command line. For example:
    curl -k -u admin:password https://localhost:8089/services/apps/local -d filename="true" -d name="<filename and directory>" -d update="true" -v
  3. On the search head, use the Splunk software command line to run:
    splunk search '| essinstall' -auth admin:password
  4. Review the installation log in:
    $SPLUNK_HOME/var/log/splunk/essinstaller2.log

Installation on a search head cluster

Splunk Enterprise Security has specific requirements and processes for implementing search head clustering.

Use a staging instance to prepare Enterprise Security for the deployer. If you do not have a staging instance available, you can use a testing or QA Splunk Enterprise instance that does not have any other apps installed. A staging instance cannot be connected to production indexers or search peers. Use a staging instance for configuration changes and upgrades.

To install Enterprise Security on a search head cluster:

  1. Prepare a staging instance.
  2. Install Enterprise Security on the staging instance.
  3. Migrate the Enterprise Security installation to the deployer. Copy the apps, SAs, DAs, and TAs associated with the Splunk Enterprise Security Suite from $SPLUNK_HOME/etc/apps on the staging instance to $SPLUNK_HOME/etc/shcluster/apps on the deployer. Do not copy the entire folder because you do not want to include default apps, such as the search app.
  4. Use the deployer to deploy Enterprise Security to the cluster members.

Managing configuration changes in a search head cluster

Some system configuration changes that you make on the General Settings page in Enterprise Security must be deployed using the deployer:

  • Enable or disable indexed real-time searches
  • Modify the indexed real-time disk sync delay
  • Enable or disable pushdown predicates search optimization

Instead of making those changes on a search head cluster member, make the changes on a staging instance. After testing the configuration on the staging instance, migrate the inputs.conf configuration to the search head cluster deployer and deploy the updated configuration to the search head cluster.

Most configuration changes that you make in a search head cluster replicate automatically to other search head cluster members. For example:

  • Add, modify, and disable threat intelligence sources
  • Add, modify, and disable asset and identity source lists
  • Make changes to the user interface
  • Make changes to searches

See How configuration changes propagate across the search head cluster in the Distributed Search Manual.

Migrate an existing deployment

You cannot add an Enterprise Security search head or search head pool member directly to a search head cluster. To migrate a search head or search head pool member to a search head cluster, you must create a new search head cluster and deploy the latest version of Enterprise Security on it.

After the search head cluster is running Enterprise Security, you must manually review and migrate custom configurations from a previous Enterprise Security installation to the deployer of the new search head cluster to replicate the changes to the cluster members.

For more information, see the topic Migrate from a standalone search head to a search head cluster in the Splunk Enterprise Distributed Search Manual.

For assistance in planning a Splunk Enterprise Security deployment migration, contact Splunk Professional Services.

Last modified on 20 September, 2019
PREVIOUS
Data source planning
  NEXT
Install and deploy add-ons

This documentation applies to the following versions of Splunk® Enterprise Security: 4.2.0 Cloud only, 4.2.1 Cloud only, 4.2.2 Cloud only, 4.5.0, 4.5.1, 4.5.2, 4.5.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters