Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

Deployment considerations for Splunk Enterprise Security

You can deploy Splunk Enterprise Security on-premises, or on Splunk Cloud Platform, or in a hybrid environment. You can also deploy Splunk Enterprise Security in a single instance or distributed search deployment. Additionally, you can also install Splunk Enterprise Security in a virtualized environment.

Splunk Enterprise platform considerations

Splunk Enterprise 7.2.0 uses Serialized Result Set (SRS) format by default. The exception is in searches that execute actions, for which we auto-detect whether to use CSV or SRS. This is handled in the alert_actions.conf file, but do not modify the forceCsvResults stanza without a thorough understanding of scripts or processes that access the results files directly.

A new install_apps capability is introduced in Splunk Enterprise v8. The change impacts the existing Enterprise Security edit_local_apps capability's functionality to install and upgrade apps. In ES, enable_install_apps is false by default. If you set enable_install_apps=True and you don't have the new install_apps and existing edit_local_apps capabilities, you will not be able to install and setup apps. This includes performing ES setup and installing other content packs or Technology Add-ons.

On the standalone search head or search peers and indexers, configure the setting enforce_auto_lookup_order = true in the [lookup] stanza of the limits.conf configuration file so that the lookup names in the props.conf file are looked up in ASCII order by name.

Deploy Splunk Enterprise Security on the Splunk Cloud Platform

Review the following information to deploy Splunk Enterprise Security on Splunk Cloud Platform:

Splunk Enterprise Security is available as a service on the Splunk Cloud Platform. The Splunk Cloud Platform deployment architecture varies based on data and search load. Splunk Cloud Platform customers work with Splunk Support to set up, manage, and maintain their cloud infrastructure.

Deploy Splunk Enterprise Security in a hybrid environment

Review the following information to deploy Splunk Enterprise Security in a hybrid environment:

A hybrid search configuration with Splunk Enterprise Security is not supported with Splunk Cloud Platform. To set up a hybrid environment, set up an on-premises Splunk Enterprise Security search head to search indexers in another cloud environment. Any hybrid search deployment configuration must account for added latency, bandwidth concerns, and include adequate hardware to support the search load.

Deploy Splunk Enterprise Security in a single instance and distributed search environment

Available deployment architectures to install Splunk Enterprise Security include a single instance deployment or a distributed search deployment.

Before you deploy Splunk Enterprise Security on premises, familiarize yourself with the components of a Splunk platform deployment.

Review the following performance considerations for single search head or a distributed search deployment before installing Enterprise Security:

Deployment type Single-instance deployment Distributed search deployment
Preferred No. Usually used for a lab or test environment, or as a small system with one or two users running concurrent searches. Yes
Search head requirements A single platform instance functions as both a search head and indexer. Install Splunk Enterprise Security on a dedicated search head or search head cluster
Indexer requirements A single platform instance functions as both a search head and indexer. To improve search performance, use an indexer cluster to distribute the search workload across multiple nodes. For a distributed search deployment, and for search head clustering, configure the search head to forward all data to the indexers. See Forward search head data to the indexer layer in the Distributed Search manual.
Data flow Forwarders collect your data and send it to the single instance for parsing, storing, and searching. Forwarders collect your data and send it to the indexers.
Supported operating system Splunk Enterprise Security supports installation on Linux-based search head clusters only. Windows search head clusters are not supported.

Additionally, stand-alone Windows servers cannot run Enterprise Security.

Splunk Enterprise Security supports installation on Linux-based search head clusters only. Windows search head clusters are not supported.

A dedicated search head might be required depending on the capacity of your specific environment and the workload of the apps you're already running and your Enterprise Security workload.


Deploy Splunk Enterprise Security in virtualized environments

If you install Splunk Enterprise Security in a virtualized environment, you need the same memory and CPU allocation as a non-virtualized bare-metal environment.

Consider the following guidelines to deploy Splunk Enterprise Security in a virtualized environment:

  • Reserve all CPU and memory resources.
  • Do not oversubscribe hardware.
  • Test the storage IOPS across all Splunk platform indexer nodes simultaneously to ensure that the IOPS match the reference hardware specification used in your environment. See Reference Hardware in the Capacity Planning Manual.

Insufficient storage performance is a common cause for poor search response and timeouts when scaling the Splunk platform in a virtualized environment.

  • Use thick provisioned storage. Thin provisioning storage might impact performance.
  • Hyper-threaded cores are not treated as extra cores. If you're running VMs on machines with hyper-threading enabled, you must double the vCPU count. For example, use 32 vCPUs instead of 16 physical cores.

See also

For more information on Splunk Enterprise deployments, see the product documentation:

Last modified on 08 August, 2024
Minimum specifications for a production deployment   Considerations for scaling deployments

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters