Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

Install Splunk Enterprise Security on an on-prem search head

Install Splunk Enterprise Security on an on-premises search head. Splunk Cloud Platform customers must work with Splunk Support to coordinate access to the Splunk Enterprise Security search head.

Install Splunk Enterprise Security

The installer dynamically detects if you're installing in a single search head environment or search head cluster environment. The installer is also bigger than the default upload limit for Splunk Web.

Follow these steps to start installing Splunk Enterprise Security:

  1. Increase the Splunk Web upload limit to at least 2 GB by creating a file called $SPLUNK_HOME/etc/system/local/web.conf with the following stanza.
    [settings]
    max_upload_size = 2048
  2. To restart Splunk from the Splunk toolbar, select Settings.
  3. Select Server controls and then select Restart Splunk.
  4. On the Splunk toolbar, select Apps.
  5. Select Manage apps and then sleect Install app from file.
  6. Select Choose file and select the Splunk Enterprise Security product file.
  7. Select Upload to begin the installation.
  8. Select Set up now to start setting up Splunk Enterprise Security

Set up Splunk Enterprise Security in a single search head environment

Follow these steps to set up Splunk Enterprise Security in a single search head environment:

  1. Select Start.
  2. If you are not using Secure Sockets Layer (SSL) in your environment, do one of the following steps when you see the SSL Warning message:
    1. Select Enable SSL to turn on SSL and start using https:// for encrypted data transfer.
    2. Select Do Not Enable SSL to keep SSL turned off and continue using http:// for data transfer.

The '''Splunk Enterprise Security Post-Install Configuration''' page indicates the status as it moves through the stages of installation.

  1. Choose to exclude selected add-ons from being installed, or install and disable them. When the setup is done, the page prompts you to restart Splunk platform services.
  2. If prompted to do so, select Restart Splunk to finish the installation.

If you enable SSL, you must change the Splunk Web URL to use https to access the search head after installing Splunk Enterprise Security.

After the installation completes, review the installation log in: $SPLUNK_HOME/var/log/splunk/essinstaller2.log.

Configure Splunk Enterprise Security

To continue configuring Splunk Enterprise Security, see the following:

  1. Deploy add-ons included with Splunk Enterprise Security
  2. Configure and deploy Indexes in Splunk Enterprise Security
  3. Configure users and roles in Splunk Enterprise Security
  4. Configure data models in Splunk Enterprise Security

For an overview of the data sources and collection considerations for Enterprise Security, see Data source planning.

Install Splunk Enterprise Security from the command line

Install Splunk Enterprise Security using the Splunk software command line. See About the CLI for more about the Splunk software command line.

  1. Follow the steps in Download Splunk Enterprise Security to download Splunk Enterprise Security and place it on the search head.
  2. Start the installation process on the search head. Install with the ./splunk install app <filename> command or perform a REST call to start the installation from the server command line.
    For example: 
    curl -k -u admin:password https://localhost:8089/services/apps/local -d filename="true" -d name="<file name and directory>" -d update="true" -v

    Using the -d option in the command might cause errors in case of a new installation of Splunk Enterprise Security.

    For information on upgrading Splunk Enterprise Security, see Upgrade Splunk Enterprise Security. You can upgrade the Splunk Enterprise Security app on the CLI using the same process as other Splunk apps or add-ons. For information on upgrading Splunk platform apps, see Manage apps and add-ons. After Splunk Enterprise Security is installed, run the essinstall command with the appropriate flags as shown in the next step.

  3. On the search head, use the Splunk software command line to run the following command: 
    splunk search '| essinstall' -auth admin:password

    You can also run this search command from Splunk Web and view the installation progress as search results.

    | essinstall

    When installing from the command line, ssl_enablement defaults to "strict." If you don't have SSL enabled, the installer exits with an error.

    If you run the search command to install Splunk Enterprise Security in Splunk Web, you can review the progress of the installation as search results. If you run the search command from the command line, you can review the installation log in: $SPLUNK_HOME/var/log/splunk/essinstaller2.log.

Test installation and setup of Splunk Enterprise Security

Follow these steps to test the installation and setup of Splunk Enterprise Security:

  1. Follow the steps in Download Splunk Enterprise Security to download Splunk Enterprise Security and place it on the search head.
  2. Start the installation process on the search head. Install with the ./splunk install app <filename> command or perform a REST call to start the installation from the server command line.
    For example: 
    curl -k -u admin:password https://localhost:8089/services/apps/local -d filename="true" -d name="<file name and directory>" -d update="true" -v
  3. From Splunk Web, open the Search and Reporting app.
  4. Enter the following search to perform a dry run of the installation and setup.

    |essinstall --dry-run

Uninstall Splunk Enterprise Security

You can uninstall Splunk Enterprise Security by removing the Splunk Enterprise Security Suite from the $SPLUNK_HOME/etc/apps folder by recursively deleting the directory or moving it to $SPLUNK_HOME/etc/disabled-apps and restarting Splunk. When you restart Splunk, the KV Store data is also removed. You can temporarily test the uninstallation of Splunk Enterprise Security by moving the Splunk Enterprise Security Suite to the disabled-apps folder and then move it back.

Splunk Enterprise Security is a collection of apps, so removing a single app folder will not uninstall it. You need to remove or move all applicable apps in the Splunk Enterprise Security Suite.

See also

For more information on installing Splunk Enterprise Security in a search head cluster environment, see the product documentation:

Installing Splunk Enterprise Security in a search head cluster environment

Last modified on 09 August, 2024
Data source planning for Splunk Enterprise Security   Install Splunk Enterprise Security in a search head cluster environment

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters