Platform and hardware requirements
This section provides guidance on system requirements for your Splunk App for PCI Compliance deployment.
System requirements for Splunk Enterprise
The Splunk App for PCI Compliance 2.1 and later are supported on Splunk Enterprise 6.0.1 and later. It also shares supporting add-ons and technology add-ons with Splunk App for Enterprise Security. Splunk App for PCI Compliance requires these add-ons.
See "System requirements" in the Installation Manual for the OS platforms, file systems, and browsers supported by Splunk Enterprise.
Note: The Incident Review dashboard feature in the Splunk App for PCI Compliance does not work on the Solaris operating system. Do not use SPARC platforms.
Additional system requirements for Splunk App for PCI Compliance
In addition to Splunk Enterprise, the Splunk App for PCI Compliance has Sideview Utils, a third party app available on Splunkbase, as a prerequisite. The app setup process links you to the Sideview Utils app if it is not already installed.
The performance and architecture of the Splunk App for PCI Compliance depends on several dimensions that you must consider during the initial planning phase. They include:
- Search load. The number of searches (ad hoc, scheduled, and real-time) that are run against Splunk software have an impact on system resources both on the search head and the indexers. Increased search load, whether generated by ad hoc or scheduled searches, decreases overall performance. Compliance-oriented correlation searches and dashboard maintenance searches can be resource intensive. Splunk software can scale horizontally through the addition of indexers to share the search load and reduce overall processing time for searches.
- Concurrent Users. As more users actively use Splunk software, more load is placed on the solution.
- Data volume. The architecture of the Splunk deployment is determined primarily by the total volume of data that you are indexing within Splunk software. Customers with higher data volumes need more indexers to support higher volumes at both index time and search time.
- Other apps. Other Splunk apps include saved searches, requiring additional processing.
To ensure your servers and storage systems meet the Splunk system deployment requirements, see "Introduction to capacity planning for Splunk Enterprise" in the Capacity Planning Manual for general hardware recommendations.
Minimum recommended hardware requirements
All deployments, regardless of size, should consider at minimum a two-server deployment. Install the Splunk App for PCI Compliance on its own search head. This increases the resource availability and eliminates the possibility of conflict with other apps installed on the same Splunk deployment. Configure an additional server as a dedicated indexer. This architecture helps to ensure consistent performance and facilitates scaling as your data volumes and use cases expand. To determine the number of indexers needed, use the following table as a guide.
|Indexer Platform||Indexer Capacity|
Example: To index 50GB of data per day and run Splunk Enterprise on Linux-based servers, plan for 2 indexers and 1 search head. If you have other use cases, expect a high number of concurrent users, or plan to run other apps in the deployment as well, then consider additional indexers.
You might need an architecture review and optimization, depending on your environment. Contact Splunk Professional Services or Technical Support for more information.
Impact on Storage Requirements
The Splunk App for PCI Compliance summary indexes consumes about 5-10% of the index data in storage volume, which is used to drive the dashboards and views. These summary indexes are stored on the search head by default. Alternatively, summary indexes can be distributed to indexers, which increases the required storage for the indexer.
Dedicated search head
Install the Splunk App for PCI Compliance on its own search head for improved performance and availability. A dedicated search head eliminates the possibility of conflict with other apps installed on the same Splunk deployment.
Search head pooling
The Splunk App for PCI Compliance supports search head pooling, but test the architecture before implementation. Search head pooling adds the potential for conflicts with other Splunk apps and has significant performance considerations. See "Key implementation issues" in Distributed Search if you plan to use a search head pool.
See "Overview of search head pooling" in Distributed Search for information on setting up search head pooling.
Gather deployment information
Make sure you have all the information you need and the appropriate access to the servers in your Splunk deployment before you install the Splunk App for PCI Compliance.
Determine what assets and identities to monitor as part of your deployment, as this information and its collection determines not only the scope of your PCI compliance solution, but also drive many of the asset-centric reports within the app itself.
The table lists information you need to set up the app.
|Identify Assets and Identities||Identify the assets and identities to monitor with the deployment. This information is included in lookups used by the Splunk App for PCI Compliance to manage assets and identities.||"Configure assets" and "Configure identities" in this manual.|
|Data inputs||For each data input to be used, you need to know:
||"Data management overview" in this manual.|
|Administrative Access||To install the Splunk App for PCI Compliance you must have administrative access to the servers where Splunk Enterprise and the Splunk App for PCI Compliance installed. This includes 'sudo' access, root access, or administrator access if on Windows.||"Configure user roles" in this manual.|
|Search heads||List of all servers where a Splunk search head is installed.|
|Indexers||List of all indexers sending data to Splunk Enterprise. These must be configured to define which applications must be installed. You need the URL and Splunk port, and Splunk admin account and password information.|
|Forwarders||List of all forwarders sending data to Splunk Enterprise. These must be configured in order to define which applications must be installed. You need the deployment server URL and port information.|
|Collect information for editable lookups||Any approved protocols, expected views, interesting ports, interesting processes, primary functions, and so on to monitor in your deployment.||"Steps to configure" in this manual.|
|Collect information for additional configuration tasks||Modify or create Incident workflow status, build new correlation searches, or other potential configuration tasks as part of the deployment.||"Steps to configure" in this manual.|
Identify data feeds
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1