Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Deployment planning

Deploy Splunk Enterprise Security on a configured Splunk platform installation. Review the system and hardware requirements and the search head and indexer considerations before deploying Enterprise Security.

Available deployment architectures

You can deploy Splunk Enterprise Security in a single instance deployment or a distributed search deployment. Splunk Enterprise Security is also available in Splunk Cloud Platform. Before you deploy Splunk Enterprise Security on premises, familiarize yourself with the components of a Splunk platform deployment. See Components of a Splunk Enterprise deployment in the Capacity Planning Manual.

Single instance deployment

For a simple and small deployment, install Splunk Enterprise Security on a single Splunk platform instance. A single instance functions as both a search head and an indexer. Use forwarders to collect your data and send it to the single instance for parsing, storing, and searching.

You can use a single instance deployment for a lab or test environment, or a small system with one or two users running concurrent searches.

Distributed search deployments

A distributed search deployment is recommended for deploying and running Splunk Enterprise Security.

  • Install Splunk Enterprise Security on a dedicated search head or search head cluster. A dedicated search head is not required for every implementation. It depends on the capacity of your specific environment and the workload of the apps you're already running, in addition to your Enterprise Security workload. See Introduction to capacity planning for Splunk Enterprise in the Splunk Enterprise Capacity Planning Manual.
  • Improve search performance by using an index cluster and distributing the workload of searching data across multiple nodes. Using multiple indexers allows both the data collected by the forwarders and the workload of processing the data to be distributed across the indexers.
  • Use forwarders to collect your data and send it to the indexers.

In a distributed search deployment, and to implement search head clustering, configure the search head to forward all data to the indexers. See Forward search head data to the indexer layer in the Distributed Search manual.

To properly scale your distributed search deployment with Splunk Enterprise Security, see Indexer scaling considerations for Splunk Enterprise Security.

Cloud deployment

Splunk Enterprise Security is available as a service in Splunk Cloud Platform. The Splunk Cloud Platform deployment architecture varies based on data and search load. Splunk Cloud Platform customers work with Splunk Support to set up, manage, and maintain their cloud infrastructure. For information on Splunk Cloud Platform deployments, see the Splunk Cloud Platform deployment types in the Splunk Cloud Platform Admin Manual.

Hybrid search deployment

A hybrid search configuration with Splunk Enterprise Security is not yet supported with Splunk Cloud Platform. You can set up an on-premises Splunk Enterprise Security search head to search indexers in another cloud environment. Any hybrid search deployment configuration must account for added latency, bandwidth concerns, and include adequate hardware to support the search load.

Splunk Enterprise system requirements

Splunk Enterprise Security requires a 64-bit OS install on all search heads and indexers. For the list of supported operating systems, browsers, and file systems, see System requirements for use of Splunk Enterprise on-premises in the Splunk Enterprise Installation Manual.

See the following to determine the compatibility of the Enterprise Security versions and Splunk platform versions:

For the details on how to upgrade Splunk Enterprise, and also the Splunk products version compatibility matrix, see About upgrading to 8.0 READ THIS FIRST in the Splunk Enterprise Installation Manual.

Hardware requirements

Splunk Enterprise Security requires minimum hardware specifications that you increase according to your needs and usage of Splunk Enterprise Security. These specifications also apply for a single instance deployment of Splunk Enterprise Security.

Machine role Minimum CPU Minimum RAM Minimum vCPU
Search head 16 physical CPU cores 32GB 32vCPU
Indexer 16 physical CPU cores 32GB 32vCPU

The minimum hardware specifications for search head cluster peers (search heads and indexers) to run Enterprise Security is the same as those required by standalone deployments (search heads and indexers).

Indexing is an I/O-intensive process. The indexers require sufficient disk I/O to ingest and parse data efficiently while responding to search requests. For the latest IOPS requirements to run Splunk Enterprise, see Reference Hardware: Indexer in the Capacity Planning Manual.

You might need to increase the hardware specifications of your own Enterprise Security deployment above the minimum hardware requirements depending on your environment. Depending on your system configuration, refer to the mid-range or high-performance specifications for Splunk platform reference hardware. See Mid-range specification and High-performance specification in the Capacity Planning Manual.

Splunk Enterprise Security search head considerations

Install Splunk Enterprise Security on a dedicated search head or a dedicated search head cluster. You can install only Common Information Model (CIM)-compatible apps or add-ons on the same search head as Splunk Enterprise Security. For example, the Splunk App for PCI Compliance (for Splunk Enterprise Security) or Splunk Add-on Builder can both be installed on the same search head as Splunk Enterprise Security.

All real-time searches in Splunk Enterprise Security use the indexed real-time setting to improve indexing performance. See About real-time searches and reports in the Search Manual. Disabling the indexed real-time search setting reduces the overall indexing capacity of your indexers. To review the performance implications of the types of real-time searches, see Known limitations of real-time searches in the Search Manual.

Splunk Enterprise Security requires the KV Store. For more information about KV Store, including the system requirements, see About the app key value store in the Splunk Enterprise Admin Manual. Splunk Enterprise Security stores some lookup files in the KV Store. In a search head cluster environment, syncing large KV Store lookups across the cluster members can fail and cause the KV Store to become stale. To mitigate this, you can increase the operations log size. See Prevent stale members by increasing operations log size in the Splunk Enterprise Admin Manual.

Splunk Enterprise Security and search head clustering

Splunk Enterprise Security supports installation on Linux-based search head clusters only. At this time, Windows search head clusters are not supported by Splunk Enterprise Security.

Search head clusters increase the search load on indexers. Add more indexers or allocate additional CPU cores to the indexers when implementing a search head cluster. See System requirements and other deployment considerations for search head clusters in the Splunk Enterprise Distributed Search Manual and Search head clustering architecture in the Distributed Search Manual.

Search head scaling considerations for Splunk Enterprise Security

Factor Increase this specification
A large number of concurrent ad-hoc searches Increase CPU cores
Increase RAM
A high number of real-time searches being run
A large number of users logging in at the same time
Increase CPU cores
A large number of enabled correlation searches Increase RAM
Large asset and identity lookup files Increase RAM

Indexer scaling considerations for Splunk Enterprise Security

Increase the number of indexers in your deployment to scale with increases in search load and search concurrency. Because a collection of indexers can serve more than one search head, additional search heads using the same indexers as a search head hosting Enterprise Security can affect the total performance of your indexer tier and reduce the resources available to Enterprise Security.

The Splunk platform uses indexers to scale horizontally. The number of indexers required in an Enterprise Security deployment varies based on the data volume, data type, retention requirements, search type, and search concurrency.

Work with Splunk Professional Services to estimate deployment architecture if you plan to ingest 1 terabyte (1TB) per day or more of data into Enterprise Security.

Performance test results

Review these performance test results to estimate the performance you can expect from your infrastructure based on the mix of data in your Splunk platform and Enterprise Security deployment. The indexers used for these performance tests match the reference hardware with 32GB of RAM and 16 CPU cores.

There are a few large factors to consider when sizing Splunk Enterprise Security.

  • Correlation search load, based on the number of correlation searches and supporting searches enabled in your deployment.
  • Data model acceleration load, based on the number of data models being accelerated, the type of data being modeled, the cardinality of the data being modeled, and the volume of data being accelerated.
  • Search head cluster environment versus single search head environment.

Depending on the data mix, the ingest volume, and the searches enabled, the data model accelerations can lag behind the data ingestion. Using hardware similar to the AWS instance of i3en.12xlarge, we can simulate large customer system resource usage with approximately 24 indexers ingesting 625 GB per day to a total of 15 TB per day volume, based on the following lab example mix:

  • 9 data models
  • 10 major source types
  • 60 out-of-the-box correlation searches
  • 70 saved searches
  • random navigation traffic on ES dashboards

Capacity planning is challenging due to the complexity of use cases, the data, and the architecture possibilities. Every situation is unique.

When scaling Splunk Enterprise with Splunk Enterprise Security to very high (15TB) levels of data volumes, some of the configurations that would normally be acceptable in a Splunk Enterprise deployment are no longer acceptable in a Splunk Enterprise deployment with Enterprise Security. You can work with your Splunk field architect to calculate and validate. The reason is that Enterprise Security ships with a number of default searches, including data model acceleration. These searches impact the overall cluster performance.

Because high volume Enterprise Security deployments run high numbers of searches that generate large amounts of results, the amount of work each peer must do can also become much greater than what you would see in a smaller deployment. As a result, memory consumption and runtimes of search jobs are key metrics to monitor and adjust for safe levels. Customers should pay careful attention to the styles and types of searches that are allowed to run on high volume Enterprise Security deployments, and enforce quality standards against the types of SPL commands, the timeframes, and intervals that are appropriate for scheduled searches within Enterprise Security.

Indexer clustering support

Splunk Enterprise Security supports both single site and multisite indexer cluster architectures. See The basics of indexer cluster architecture and Multisite cluster architecture in Managing Indexers and Clusters of Indexers.

A single site or multisite indexer cluster architecture can have one search head or one search head cluster with a running instance of Enterprise Security. Additional single instance search heads or additional search head clusters cannot run Enterprise Security.

For a multisite indexer cluster architecture, Splunk recommends the following:

  • Enable summary replication. See Replicated summaries in Managing Indexers and Clusters of Indexers.
  • Set the Enterprise Security search head to site0 to disable search affinity. See Disable search affinity in Managing Indexers and Clusters of Indexers.

If you use indexer clustering, the method you use to deploy apps and configuration files to indexer peers is different. See Manage common configurations across all cluster peers and Manage app deployment across all cluster peers in the Managing Indexers and Clusters of Indexers.

Data model accelerations

Splunk Enterprise Security accelerates data models to provide dashboard, panel, and correlation search results. Data model acceleration uses the indexers for processing and storage, storing the accelerated data in each index.

Limit data model acceleration for specific data models to specific indexes to improve performance of data model acceleration and reduce indexer load, especially at scale. See Set up the Splunk Common Information Model Add-on for more on restricting data models to specific indexes.

See Data model acceleration storage and retention to calculate the additional storage for data model acceleration.

Index TSIDX reduction compatibility

A retention policy for an index's TSIDX files is available in Splunk Enterprise 6.4.x. For more information, see Reduce tsidx disk usage in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual. Setting a retention policy for the TSIDX files does not affect the retention of data model accelerations.

Some searches provided with Enterprise Security do not work on buckets with reduced TSIDX files.

Panel/Search Name Default time range Workaround
Forwarder Audit panel: Event Count Over Time by Host -30d Set the TSIDX retention to a value greater than the time range.
Saved Search: Audit - Event Count Over Time By Top 10 Hosts -30d Set the TSIDX retention to a value greater than the time range.
Saved Search: Audit - Events Per Day - Lookup Gen -1d Set the TSIDX retention to a value greater than the default time range.
Saved Search: Endpoint - Index Time Delta 2 - Summary Gen -1d Set the TSIDX retention to a value greater than the default time range.

Using the deployment server with Splunk Enterprise Security

Splunk Enterprise Security includes apps and add-ons. If the deployment server manages those apps or add-ons, Enterprise Security will not finish installing.

If add-ons included with the Enterprise Security package are managed by a deployment server, remove the deployment client configuration before installing Enterprise Security.

  1. Remove the deploymentclient.conf file containing references to the deployment server.
  2. Restart Splunk services.

Improved app import and export support

Splunk Enterprise Security no longer selectively imports apps and add-ons based on the name of the app or add-on. Knowledge objects in apps and add-ons that are installed on the same search head as Splunk Enterprise Security and exported to other apps or globally are visible in Splunk Enterprise Security. To verify a global export from the search head, check the local.meta file of the app or add-on for export = system. For further details, see the "Make Splunk knowledge objects globally available" section of App architecture and object ownership in the Splunk Enterprise Admin Manual.

Virtualized hardware

If you install Splunk Enterprise Security in a virtualized environment, you need the same memory and CPU allocation as a non-virtualized bare-metal environment.

  • Reserve all CPU and memory resources.
  • Do not oversubscribe hardware.
  • Test the storage IOPS across all Splunk platform indexer nodes simultaneously to ensure that the IOPS match the reference hardware specification used in your environment. See Reference Hardware in the Capacity Planning Manual

Insufficient storage performance is a common cause for poor search response and timeouts when scaling the Splunk platform in a virtualized environment.

  • Use thick-provisioned storage. Thin provisioning storage might impact performance.

Monitoring Console

If you enable the Monitoring Console on an Enterprise Security search head, it must remain in standalone mode. For more on when and how to configure the Monitoring Console in a distributed environment, see Which instance should host the console? in Monitoring Splunk Enterprise.

Enterprise Security compatibility with other apps

Splunk Enterprise Security (ES) relies on the search knowledge and Common Information Model (CIM) support supplied by add-ons. The add-ons are responsible for defining the event processing necessary to optimize, normalize, and categorize security data for use with the CIM. Only CIM-compatible apps are compatible with Splunk Enterprise Security. Other apps and add-ons that are not CIM-compatible can include data knowledge that is not normalized for the CIM, preventing searches and dashboards that rely on those fields from functioning properly.

Only install apps and add-ons on the same search head with ES if they meet one of the following guidelines:

  • Add-ons that are CIM-compatible and enrich data for use with ES.
  • Apps that may or may not enrich data for ES, but whose primary purpose is to integrate with ES.

Splunk Enterprise Security and the SA-VMNetAppUtils component of the Splunk Add-on for VMware cannot be installed on the same search head. Conflicts with identically-named files can prevent some parts of Splunk Enterprise Security from working correctly.

Last modified on 03 May, 2023
Share data in Splunk Enterprise Security
Data source planning for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters