Platform and hardware requirements

This section provides guidance on system requirements for your Splunk App for PCI Compliance deployment.

System requirements for Splunk Enterprise

The Splunk App for PCI Compliance 2.1 and later are supported on Splunk Enterprise 6.0.1 and later. It also shares supporting add-ons and technology add-ons with Splunk App for Enterprise Security. Splunk App for PCI Compliance requires these add-ons.

See "System requirements" in the Installation Manual for the OS platforms, file systems, and browsers supported by Splunk Enterprise.

Note: The Incident Review dashboard feature in the Splunk App for PCI Compliance does not work on the Solaris operating system. Do not use SPARC platforms.

Additional system requirements for Splunk App for PCI Compliance

In addition to Splunk Enterprise, the Splunk App for PCI Compliance has Sideview Utils, a third party app available on Splunkbase, as a prerequisite. The app setup process links you to the Sideview Utils app if it is not already installed.

Deployment considerations

The performance and architecture of the Splunk App for PCI Compliance depends on several dimensions that you must consider during the initial planning phase. They include:

• Search load. The number of searches (ad hoc, scheduled, and real-time) that are run against Splunk software have an impact on system resources both on the search head and the indexers. Increased search load, whether generated by ad hoc or scheduled searches, decreases overall performance. Compliance-oriented correlation searches and dashboard maintenance searches can be resource intensive. Splunk software can scale horizontally through the addition of indexers to share the search load and reduce overall processing time for searches.
• Concurrent Users. As more users actively use Splunk software, more load is placed on the solution.
• Data volume. The architecture of the Splunk deployment is determined primarily by the total volume of data that you are indexing within Splunk software. Customers with higher data volumes need more indexers to support higher volumes at both index time and search time.
• Other apps. Other Splunk apps include saved searches, requiring additional processing.

Hardware recommendations

To ensure your servers and storage systems meet the Splunk system deployment requirements, see "Introduction to capacity planning for Splunk Enterprise" in the Capacity Planning Manual for general hardware recommendations.

Minimum recommended hardware requirements

All deployments, regardless of size, should consider at minimum a two-server deployment. Install the Splunk App for PCI Compliance on its own search head. This increases the resource availability and eliminates the possibility of conflict with other apps installed on the same Splunk deployment. Configure an additional server as a dedicated indexer. This architecture helps to ensure consistent performance and facilitates scaling as your data volumes and use cases expand. To determine the number of indexers needed, use the following table as a guide.

Example: To index 50GB of data per day and run Splunk Enterprise on Linux-based servers, plan for 2 indexers and 1 search head. If you have other use cases, expect a high number of concurrent users, or plan to run other apps in the deployment as well, then consider additional indexers.

You might need an architecture review and optimization, depending on your environment. Contact Splunk Professional Services or Technical Support for more information.

Impact on Storage Requirements

The Splunk App for PCI Compliance summary indexes consumes about 5-10% of the index data in storage volume, which is used to drive the dashboards and views. These summary indexes are stored on the search head by default. Alternatively, summary indexes can be distributed to indexers, which increases the required storage for the indexer.

Dedicated search head

Install the Splunk App for PCI Compliance on its own search head for improved performance and availability. A dedicated search head eliminates the possibility of conflict with other apps installed on the same Splunk deployment.

Search head pooling

The Splunk App for PCI Compliance supports search head pooling, but test the architecture before implementation. Search head pooling adds the potential for conflicts with other Splunk apps and has significant performance considerations. See "Key implementation issues" in Distributed Search if you plan to use a search head pool.

See "Overview of search head pooling" in Distributed Search for information on setting up search head pooling.

Gather deployment information

Make sure you have all the information you need and the appropriate access to the servers in your Splunk deployment before you install the Splunk App for PCI Compliance.

Determine what assets and identities to monitor as part of your deployment, as this information and its collection determines not only the scope of your PCI compliance solution, but also drive many of the asset-centric reports within the app itself.

See "Asset management" and "Identity correlation" in the PCI User Manual for details about the information that must be contained in both the asset and identities lists.

See "Asset and identify correlation" in the PCI User Manual for more information about assets and identities.

The table lists information you need to set up the app.