Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Platform and hardware requirements

This section provides guidance on system requirements for your Splunk App for PCI Compliance deployment.

System requirements for Splunk Enterprise

The Splunk App for PCI Compliance 2.1 and later are supported on Splunk Enterprise 6.0.1 and later. It also shares supporting add-ons and technology add-ons with Splunk App for Enterprise Security. Splunk App for PCI Compliance requires these add-ons.

See "System requirements" in the Installation Manual for the OS platforms, file systems, and browsers supported by Splunk Enterprise.

Note: The Incident Review dashboard feature in the Splunk App for PCI Compliance does not work on the Solaris operating system. Do not use SPARC platforms.

Additional system requirements for Splunk App for PCI Compliance

In addition to Splunk Enterprise, the Splunk App for PCI Compliance has Sideview Utils, a third party app available on Splunkbase, as a prerequisite. The app setup process links you to the Sideview Utils app if it is not already installed.

Deployment considerations

The performance and architecture of the Splunk App for PCI Compliance depends on several dimensions that you must consider during the initial planning phase. They include:

  • Search load. The number of searches (ad hoc, scheduled, and real-time) that are run against Splunk software have an impact on system resources both on the search head and the indexers. Increased search load, whether generated by ad hoc or scheduled searches, decreases overall performance. Compliance-oriented correlation searches and dashboard maintenance searches can be resource intensive. Splunk software can scale horizontally through the addition of indexers to share the search load and reduce overall processing time for searches.
  • Concurrent Users. As more users actively use Splunk software, more load is placed on the solution.
  • Data volume. The architecture of the Splunk deployment is determined primarily by the total volume of data that you are indexing within Splunk software. Customers with higher data volumes need more indexers to support higher volumes at both index time and search time.
  • Other apps. Other Splunk apps include saved searches, requiring additional processing.

Hardware recommendations

To ensure your servers and storage systems meet the Splunk system deployment requirements, see "Introduction to capacity planning for Splunk Enterprise" in the Capacity Planning Manual for general hardware recommendations.

Minimum recommended hardware requirements

All deployments, regardless of size, should consider at minimum a two-server deployment. Install the Splunk App for PCI Compliance on its own search head. This increases the resource availability and eliminates the possibility of conflict with other apps installed on the same Splunk deployment. Configure an additional server as a dedicated indexer. This architecture helps to ensure consistent performance and facilitates scaling as your data volumes and use cases expand. To determine the number of indexers needed, use the following table as a guide.

Indexer Platform Indexer Capacity
Windows 27GB/day
UNIX 34GB/day

Example: To index 50GB of data per day and run Splunk Enterprise on Linux-based servers, plan for 2 indexers and 1 search head. If you have other use cases, expect a high number of concurrent users, or plan to run other apps in the deployment as well, then consider additional indexers.

You might need an architecture review and optimization, depending on your environment. Contact Splunk Professional Services or Technical Support for more information.

Impact on Storage Requirements

The Splunk App for PCI Compliance summary indexes consumes about 5-10% of the index data in storage volume, which is used to drive the dashboards and views. These summary indexes are stored on the search head by default. Alternatively, summary indexes can be distributed to indexers, which increases the required storage for the indexer.

Dedicated search head

Install the Splunk App for PCI Compliance on its own search head for improved performance and availability. A dedicated search head eliminates the possibility of conflict with other apps installed on the same Splunk deployment.

Search head pooling

The Splunk App for PCI Compliance supports search head pooling, but test the architecture before implementation. Search head pooling adds the potential for conflicts with other Splunk apps and has significant performance considerations. See "Key implementation issues" in Distributed Search if you plan to use a search head pool.

See "Overview of search head pooling" in Distributed Search for information on setting up search head pooling.

Gather deployment information

Make sure you have all the information you need and the appropriate access to the servers in your Splunk deployment before you install the Splunk App for PCI Compliance.

Determine what assets and identities to monitor as part of your deployment, as this information and its collection determines not only the scope of your PCI compliance solution, but also drive many of the asset-centric reports within the app itself.

See "Asset management" and "Identity correlation" in the PCI User Manual for details about the information that must be contained in both the asset and identities lists.

See "Asset and identify correlation" in the PCI User Manual for more information about assets and identities.

The table lists information you need to set up the app.

Requirements Details Related Documentation
Identify Assets and Identities Identify the assets and identities to monitor with the deployment. This information is included in lookups used by the Splunk App for PCI Compliance to manage assets and identities. "Configure assets" and "Configure identities" in this manual.
Data inputs For each data input to be used, you need to know:
  • The associated technology add-on that provides knowledge mapping. These technology add-ons are shared wtih Splunk Enterprise Security 4.0.0.
  • Any required configuration changes to technology add-on. See the README for the technology add-on.
  • Correct source type. Automatically discovered in some cases. See the README for the technology add-on.
  • Data source or location.
  • Splunk input type (UDP, TCP, scripted input, and so on).
  • Data destination (forwarder or indexer).
"Data management overview" in this manual.
Administrative Access To install the Splunk App for PCI Compliance you must have administrative access to the servers where Splunk Enterprise and the Splunk App for PCI Compliance installed. This includes 'sudo' access, root access, or administrator access if on Windows. "Configure user roles" in this manual.
Search heads List of all servers where a Splunk search head is installed.
Indexers List of all indexers sending data to Splunk Enterprise. These must be configured to define which applications must be installed. You need the URL and Splunk port, and Splunk admin account and password information.
Forwarders List of all forwarders sending data to Splunk Enterprise. These must be configured in order to define which applications must be installed. You need the deployment server URL and port information.
Collect information for editable lookups Any approved protocols, expected views, interesting ports, interesting processes, primary functions, and so on to monitor in your deployment. "Steps to configure" in this manual.
Collect information for additional configuration tasks Modify or create Incident workflow status, build new correlation searches, or other potential configuration tasks as part of the deployment. "Steps to configure" in this manual.
Last modified on 24 October, 2015
PREVIOUS
Identify data feeds
  NEXT
Deployment options

This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters