Deploy technology add-ons to Splunk Enterprise Security
The Splunk Enterprise Security package includes a set of add-ons, and is compatible with others.
- The add-ons that include "SA-" or "DA-" in the name make up the Splunk Enterprise Security framework. You do not need to take any additional action to deploy or configure these add-ons, because their installation and setup is handled as part of the Splunk Enterprise Security installation process. Do not disable any add-ons that make up the Splunk Enterprise Security framework.
- The rest of the add-ons include "TA-" in the name and are technology-specific and provide the CIM-compliant knowledge necessary to incorporate that source data into Enterprise Security.
For more about how the different types of add-ons interact with Splunk Enterprise Security, see About the ES solution architecture on the Splunk developer portal. Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
See Splunk Enterprise distributed deployments in the Splunk Machine Learning Toolkit User Guide if you're interested in the distributed apply feature of MLTK.
The process of deploying the technology add-ons depends on the architecture of your Splunk platform deployment.
Prerequisite
Install Splunk Enterprise Security on your search head or search head cluster. See Install Enterprise Security. When you install Splunk Enterprise Security in a distributed environment, the installer installs and enables the add-ons included in the Splunk Enterprise Security package on the search head or search head cluster.
Steps
- Determine which add-ons to install on forwarders
- Deploy add-ons to forwarders
- Deploy add-ons to indexers
Determine which add-ons to install on forwarders
Determine which add-ons to install on forwarders and which type of forwarder configuration each add-on requires by reviewing the documentation for the add-ons. Download add-ons from Splunkbase. Install add-ons that collect data on forwarders.
Most add-ons include input settings for a specific data source. Review the inputs.conf included with an add-on and deploy the add-on to a forwarder as needed. Some add-ons need to be deployed on forwarders installed directly on the data source system. Other add-ons require heavy forwarders. See the documentation or README file for each add-on for specific instructions.
- For add-ons with web-based documentation, follow the links below to determine where it needs to be installed and configured.
- For add-ons that do not have web-based documentation, see the README file included in the root folder of the add-on.
Deploy add-ons to forwarders
See Install an add-on in a distributed Splunk Enterprise deployment in the Splunk Add-ons documentation.
Technology-specific add-ons provided with Enterprise Security
Splunk Enterprise Security includes the technology add-on for UBA. See About the Splunk Add-on for Splunk UBA.
Deploy add-ons to indexers
Splunk recommends installing Splunk-supported add-ons across your entire Splunk platform deployment, then enabling and configuring inputs only where they are required. For more information, see Where to install Splunk add-ons in the Splunk Add-ons documentation.
The procedure that you use to deploy add-ons to your indexer can depend on your Splunk platform deployment. Select the option that matches your situation or preference.
Deployment situation | Procedure |
---|---|
Splunk Enterprise Security is running on Splunk Cloud Platform. | Contact Splunk Support and ask them to install the required add-ons to your indexers. |
You prefer to deploy add-ons to the indexers manually. | See Install an add-on in a distributed Splunk Enterprise deployment. |
Your indexers are clustered, you use the cluster master to deploy add-ons to cluster peers of your on-premises Splunk platform installation, and there is no additional deployment complexity. | Create the Splunk_TA_ForIndexers and manage deployment manually |
Your indexers are not clustered, you use the deployment server to automatically manage indexer settings of your on-premises Splunk platform installation, and there is no additional deployment complexity. | This automatic procedure is deprecated. See the Release Notes. |
Splunk Enterprise Security is running on a complex deployment, such as one Splunk Enterprise Security search head and one search head for other searches both using the same set of indexers. | Contact Splunk Professional Services for assistance with deploying add-ons to your indexers. |
Create the Splunk_TA_ForIndexers and manage deployment manually
Use this procedure only if Splunk Enterprise Security is running on Splunk Enterprise rather than Splunk Cloud Platform, indexers are clustered, and there is no additional deployment complexity. If this does not match your deployment situation, see Deploy required add-ons to indexers to select a different deployment method.
Distributed Configuration Management collects the index-time configurations and basic index definitions into the Splunk_TA_ForIndexers package to simplify the deployment of add-on configurations to on-premises indexers. The Splunk_TA_ForIndexers includes all indexes.conf and index-time props.conf and transforms.conf settings from all enabled apps and add-ons on the search head, merges them into single indexes.conf, props.conf, and transforms.conf files, and places the files into one add-on for download. It works similar to a ./splunk cmd btool <conf_file_prefix> list
output.
This procedure deploys all add-ons that are enabled on your search head to your indexers. If you want to limit which add-ons you deploy to your indexers to only the subset that are strictly required to be on indexers, select '''Apps''' and then select '''Manage apps''' and disable all add-ons that are not required on indexers before you begin this procedure. You can re-enable them after you finish the procedure.
Before you deploy Splunk_TA_ForIndexers, make sure that existing add-ons installed on indexers are not included in the Splunk_TA_ForIndexers package. Deploying the same add-on twice might lead to configuration conflicts, especially if the add-ons are different versions.
- On the Splunk Enterprise Security menu bar, select Configure and then select General settings.
- Scroll to Distributed configuration management, and select Download Splunk_TA_ForIndexers .
- Select the contents for the package. You must select at least one of the following options to download the package.
- (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package.
- (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package.
- Select Download the Package to create and download the Splunk_TA_ForIndexers.
- After the add-on downloads, you can modify the contents of the package.
For example, modify indexes.conf to conform with site retention settings and other storage options. - Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.
When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.
Install Splunk Enterprise Security in a search head cluster environment | Integrate Splunk Stream with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!