Install the Splunk Add-on for Splunk Attack Analyzer
To install the Splunk Add-on for Splunk Attack Analyzer, follow these high-level steps:
- Determine where and how to install this add-on in your deployment, using the tables on this page.
- Perform any prerequisite steps before installing, if required and specified in the tables on this page.
- Complete your installation.
If you need step-by-step instructions on how to install an add-on in your specific deployment environment, see the Installation walkthroughs section later on this page for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud Platform.
Distributed deployments
Use the following tables to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you might need to install the add-on in multiple places.
Where to install this add-on
Unless otherwise noted, you can safely install all supported add-ons to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.
This table provides a reference for installing this specific add-on to a distributed deployment of the Splunk platform.
| Splunk instance type | Supported? | Required? | Comments |
|---|---|---|---|
| Search heads | Yes | Yes | Install this add-on to all search heads where you want to collect information. As a best practice, turn visibility off on your search heads to prevent data duplication errors. These errors can result from running inputs on your search heads instead of on your data collection node. |
| Indexers | Yes | Conditional | Not required if you use heavy forwarders to collect data. |
| Heavy forwarders | Yes | Conditional | This add-on can use heavy forwarders to perform data collection through modular inputs and to perform the setup and authentication in Splunk Web. |
| Universal forwarders | No | N/A | N/A |
| Inputs Data Manager | Yes | No | This add-on is supported by Splunk Inputs Data Manager (IDM). |
| Self Service App Install (SSAI) | Conditional | No | This add-on is supported by Self Service App Install (SSAI). This add-on is not supported by SSAI if an IDM is used. |
Distributed deployment feature compatibility
This table describes the compatibility of this add-on with Splunk distributed deployment features.
| Distributed deployment feature | Supported? | Comments |
|---|---|---|
| Search head clusters | Yes | Deactivate add-on visibility on search heads. You can install this add-on on a search head cluster for all search-time functionality, but configure inputs on forwarders to avoid duplicate data collection. |
| Indexer clusters | Yes | To get data from an indexer cluster member, install the add-on into that member. |
| Deployment server | No | Supported for deploying unconfigured add-ons only. Using a deployment server to deploy the configured add-on to multiple forwarders acting as data collectors causes duplication of data. The add-on uses the credential vault to secure your credentials, and this credential management solution is incompatible with the deployment server. |
Installation walkthroughs
The Splunk Add-Ons manual includes an About installing Splunk add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.
For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:
- Install an add-on in a single-instance Splunk Enterprise deployment.
- Install an add-on in a distributed Splunk Enterprise deployment.
- Install an add-on in Splunk Cloud Platform.
Next step
| Installation requirements and version dependencies | Configure the Splunk Add-on for Splunk Attack Analyzer |
This documentation applies to the following versions of Splunk® Add-on for Splunk Attack Analyzer: 1.0.0, 1.1.0, 1.1.1, 1.2.0
Download manual
Feedback submitted, thanks!