Splunk® App for PCI Compliance

Installation and Configuration Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of Splunk® App for PCI Compliance. Click here for the latest version.
Acrobat logo Download topic as PDF

Deployment options

You must have a Splunk Enterprise 6.3.0 platform installed to install this version of the Splunk App for PCI Compliance. There are several architectures and features to consider when implementing Splunk software. Follow the instructions below if you are not currently using Splunk Enterprise Security 4.x.x and need to deploy this app for the first time.

If you already have Splunk Enterprise Security 4.x.x, skip this section.

Common deployment architectures

Splunk App for PCI Compliance does not require special deployment. The deployment process is same as Splunk Enterprise Security 4.x.x. This topic covers how to integrate the Splunk App for PCI Compliance in the following common deployment architectures:

  • Single instance deployment
  • Distributed deployment

The recommended deployment architectures share common components:

Search head A Splunk platform instance that is the central location for Splunk software apps and search knowledge, hosting the users, and providing authentication and authorization. The search head also manages and directs search requests to the few or many indexers. Splunk App for PCI Compliance must be installed on its own search head.
Indexer A Splunk platform instance that processes search requests from search heads. The indexer also accepts incoming data streams from forwarders, transforms the streams into events, and writes the events into indexes.
Forwarder A Splunk platform instance that obtains and streams data to the indexers. Forwarders are designed to load balance the data streams between indexers.

Single instance deployment

When designing simple and small deployments, use a single Splunk platform instance with Splunk App for PCI Compliance installed. A single instance serves both the search head and indexer logistical roles, accepting data streams from forwarders along with parsing, storing, and searching the data. A single instance Splunk platform configuration is often used for a lab or test environment and supports one or two users running concurrent searches.

Whenever possible, use forwarders for data collection.

Distributed deployments

A distributed Splunk Enterprise deployment is recommended when running Splunk App for PCI Compliance. A dedicated search head hosting provides the user interface and search management roles. A collection of indexers provides improved search performance by distributing the workload of searching data across more nodes. Having multiple indexers also allows for distributing the forwarders incoming data streams and the workload of processing those streams.

Whenever possible, use forwarders for data collection.

Clustering options

In a distributed search deployment, both the search head and indexer roles offer clustering options. This app supports installation on a search head cluster and running on an indexer cluster.

Search head considerations

Splunk App for PCI Compliance supports installation on one dedicated search head or search head cluster. Install only Common Information Model (CIM)-compatible add-ons on a search head or search head cluster hosting this app.

The app also enforces all real-time searches to use the indexed real-time setting for improved indexing performance. For more information, see About real-time searches and reports in the Search Manual. If the configuration is reverted, the overall indexing capacity will be reduced. To review the performance implications, see Expected performance and known limitations of real-time searches and reports" in the Search Manual.

CPU cores

Search head requires a minimum of 16 CPU cores. Additional cores are necessary depending on search concurrency, search type, and number of users.


The search head requires a minimum of 16GB of RAM. Add additional memory to address search concurrency, the number of correlation searches enabled, and the size of the asset and identity tables referenced by Splunk App for PCI Compliance.

Forward search head data to indexers

In a distributed search deployment, configure the search head to forward all data to the indexers. This configuration is required to implement search head clustering. See Forward search head data to the indexer layer in the Distributed Search manual.

Search head clustering

Splunk App for PCI Compliance supports installation on Linux-based search head clusters only. A search head cluster requires the KV store feature for data synchronization among search cluster members. For a list of requirements, see System requirements and other deployment considerations for search head clusters in the Distributed Search Manual.

Using Splunk App for PCI Compliance with other apps

Install only CIM-compatible apps or add-ons with Splunk App for PCI Compliance when deployed in a search head cluster.

KV Store

Splunk App for PCI Compliance requires the KV Store. For more information about KV Store, including the system requirements, see About the app key value store in the Admin Manual.

Forward search head data to indexers

The search head cluster members must send all locally generated data to the indexers. See Forward data from search head cluster members in the Distributed Search Manual.

Deploying configuration changes

Using search head clustering changes the method used to deploy apps and configuration files to the search head cluster members. The deployment server is not supported for distributing configurations or apps to a search head cluster. To distribute configurations across the set of search head cluster members, use the search head cluster deployer. See Use the deployer to distribute apps and configuration updates in the Distributed Search Manual.

To facilitate using the deployer to manage configuration files with hashed passwords, the captain replicates its Splunk.secret file to all other cluster members during initial deployment of the cluster. For more information, see Deploy secure passwords across multiple servers in the Securing Splunk Enterprise Manual.

Indexer considerations

Indexing is an I/O-intensive process. The indexers require sufficient disk I/O to ingest and parse data efficiently while responding to search requests. For the latest IOPS requirements to run this app, see Reference Hardware in the Capacity Planning Manual.

The Splunk platform scales horizontally through the use of indexers. The numberof indexers required in a deployment is dependent on the data volume, retention requirements, search type, and search concurrency. The indexer scaling recommendation is one indexer per 150GB of indexed data volume per day.

Data volume (GB/day) 100 300 500 800 1000 1500 2000
Indexer count with one Splunk Enterprise Security search head 1 3 5 8 10 15 20

A collection of indexers can serve more than one search head. Additional, non-Enterprise Security search heads using the same indexers will impact the total performance and reduce the resources available to the search infrastructure. Always increase the number of indexers to scale with increases in search load and search concurrency.


This app defines custom indexes for event storage. For more information about the indexes required, see Configure and deploy indexes in this manual.

Indexer clustering

Splunk App for PCI Compliance supports both single site and multisite cluster architectures. See The basics of indexer cluster architecture and Multisite cluster architecture in the Managing Indexers and Clusters Manual.

A single site or multisite indexer cluster architecture may have one search head or search head cluster with a running instance of the Splunk App for PCI Compliance. Additional, single instance search heads cannot run this app.

Using the clustering feature changes the way you must deploy apps and configuration files to the indexer peer nodes. See Manage common configurations across all cluster peers and Manage app deployment across all cluster peers in the Managing Indexers and Clusters Manual.

Data model accelerations

Splunk App for PCI Compliance accelerates data models to provide dashboard panel and correlation search results. Data model acceleration uses the indexers for processing and storage, placing the accelerated data alongside each index. To calculate the additional storage needed on the indexers based on the total volume of data, use the following formula: accelerated data model storage/year = data volume per day * 3.4

This formula assumes that you are using the recommended retention rates for the accelerated data models.

Example: If you process 100GB/day of data volume for use with this app, you need approximately 340GB more space available across all of the indexers to allow for up to one year of data model retention and source retention.

The storage used for data model acceleration is not added to index sizing calculations for maintenance tasks such as bucket rolling and free space checks. For additional information, see Data model acceleration storage and retention in this manual.

Splunk Enterprise 6.1.0 and later implements new configuration parameters for data model acceleration tasks. See Advanced configurations for persistently accelerated data models in the Knowledge Manager Manual.

Deployment server

The deployment server deploys apps to nodes within the Splunk platform environment. In Splunk App for PCI Compliance, use the deployment server to deploy add-ons to forwarders and indexers for distributing index-time knowledge.

For information about the deployment server configuration and use, see About deployment server and forwarder management in the Updating Splunk Enterprise Instances Manual.

The use of a search head clustering changes the method used to deploy apps and configuration files. Do not use the deployment server to deploy directly to a search cluster or index cluster members. Each clustered tier, search heads, and indexers, has its own configuration methodology and tool.

Splunk App for PCI Compliance includes a tool to gather the indexes.conf and index-time props.conf and transforms.conf settings from all enabled apps and add-ons on the search head and assemble them into one add-on. For more details, see Distributed Configuration Management in this manual.

Virtualized hardware

Installing Splunk App for PCI Compliance in a virtualized environment requires the same memory and CPU allocation as an installation in a non-virtualized environment. You must reserve all CPU and memory resources, with no oversubscription of hardware.

In a virtualized environment, test the storage IOPS across all Splunk platform indexer nodes simultaneously. The results from every node must conform to the Reference Hardware IOPS specified in the Capacity Planning Manual.

Insufficient storage performance is a common cause for poor search response and timeouts when scaling the Splunk platform in a virtualized environment.

Splunk Cloud

Splunk App for PCI Compliance is available on Splunk Cloud. For more information, see the Splunk Cloud documentation.

Distributed Management Console

If the Distributed Management Console (DMC) is enabled on a Splunk App for PCI Compliance search head, it must remain in standalone mode. For more information on when and how to configure the DMC for use in a distributed environment, see Which instance should host the console? in the Distributed Management Console Manual.

Deploying with other apps

The Splunk App for PCI Compliance relies on the knowledge supplied in the technology add-ons. These add-ons specify the complex data processing necessary to optimize, normalize, and categorize your compliance data for use in the PCI Compliance solution. Apps and add-ons that have been developed separately might include data knowledge that has not been normalized for the Splunk App for PCI Compliance and can overwrite fields that the app uses, preventing the proper functioning of the searches, dashboards, and reports that rely on those fields.

Note: For optimal performance of the Splunk App for PCI Compliance, install on a dedicated search head without other apps installed and that indexers only use the necessary PCI Compliance-compatible technology add-ons. It shares shares technology add-ons, supporting add-ons, and domain add-ons with Splunk Enterprise Security, but test and consider the volume of data that you process in your environment before installing the Splunk App for PCI Compliance on the same search head as Splunk Enterprise Security.

In some cases, it might be necessary to install other apps on the same search head or server as the Splunk App for PCI Compliance. Many apps and add-ons provided by Splunk software are compatible with the PCI Compliance solution. Compatible apps are documented as such on the Splunkbase download page for the app. Installing apps or add-ons that are not designated as compatible with the Splunk App for PCI Compliance can negatively impact performance of the app and prevent data from being processed correctly, preventing some data from showing up on dashboards.

Remote data collection

Use forwarders to collect data from remote systems ("Using forwarding agents"). A node where a forwarder is installed is a collection point for one or more data sources. The technology add-ons for those data sources should be installed on the forwarder, ensuring that the data is properly tagged. To manage and distribute technology add-ons across many forwarders, use the Splunk deployment server ("About deployment server") or a third party software distribution system. If Splunk Enterprise Security 4.x.x is already installed and the technology add-ons are already collecting data on a specific node, this node can act as a forwarder.

Last modified on 03 November, 2016
Platform and hardware requirements
Data management overview

This documentation applies to the following versions of Splunk® App for PCI Compliance: 3.0.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters