Splunk® Enterprise

Add Symantec Endpoint Protection data: Single instance

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Additional resources

The following sections provide additional information and links.

About Guided Data Onboarding

Using both Splunk Web and Splunk documentation, Guided Data Onboarding (GDO) provides end-to-end guidance for getting specific data sources into specific Splunk platform deployments. If you have a Splunk deployment up and running and if you have an admin or equivalent role so that you can install add-ons, you can use these guides to get data from popular data sources into Splunk.

Where to find Guided Data Onboarding

From your home page in Splunk Web, you can find the data onboarding guides by clicking Add Data. Then, you can either search for a data source or explore different categories of data sources. Currently, the categories are Networking, Operating System, and Security.

After you select your data source, you must select a deployment scenario. Then, you can view diagrams and high-level steps to set up and to configure your data source.

Splunk Web links to documentation that explains how to set up and configure your data source in greater detail. You can find all the Guided Data Onboarding manuals by clicking the Add data tab on the Splunk Enterprise Documentation site.

Supported Deployment Scenarios

For each data source, Splunk currently supports Guided Data Onboarding for three deployment scenarios. See the following table for a description of each scenario:

Deployment scenario Description
Single-instance

deployment

A single Splunk Enterprise instance handles both indexing and search management. In this deployment scenario, you typically also install forwarders on your data-generating hosts to feed data from the hosts to your single instance.
Distributed deployment with

indexer clustering

In a distributed deployment, multiple Splunk Enterprise instances work together to support environments in which data originates on many machines, or in which many users need to search the data. Indexer clustering is a Splunk Enterprise feature by which an indexer cluster replicates data to achieve several goals. They include data availability, data fidelity, disaster tolerance, and improved search performance.
Splunk Cloud Splunk Cloud delivers the benefits of Splunk Enterprise as a cloud-based service.

If you need help determining your deployment, see the Inherit a Splunk Enterprise Deployment manual.

Supported Data Sources

Guided Data Onboarding is currently supported for the following data sources:

Data Source Description
Cisco ASA Allows an administrator to map Cisco ASA devices, Cisco PIX, and Cisco FWSM events to the Splunk CIM.

We provide Guided Data Onboarding for the following deployment scenarios:

You can also read more in the Splunk Add-on for Cisco ASA manual.

McAfee ePO Allows an administrator to collect antivirus information and vulnerability scan reports.

We provide Guided Data Onboarding for the following deployment scenarios:

You can also read more in the Splunk Add-on for McAfee manual.

Microsoft Active Directory Allows an administrator to collect Active Directory and Domain Name Server debug logs from Windows hosts that act as domain controllers for a supported version of Windows Server.

We provide Guided Data Onboarding for the following deployment scenarios:

You can also read more in the Splunk Add-on for Microsoft Active Directory manual.

Microsoft Windows Allows an administrator to collect CPU, disk, I/O, memory, log, configuration, and user data with data inputs.

We provide Guided Data Onboarding for the following deployment scenarios:

You can also read more in the Splunk Add-on for Windows manual.

Palo Alto Networks Allows an administrator to collect data from every product in the Palo Alto Networks Next-generation Security Platform.

We provide Guided Data Onboarding for the following deployment scenarios:

You can also read more at splunk.paloaltonetworks.com.

Symantec Endpoint Protection Allows an administrator to collect logs from Symantec Endpoint Protection Manager over dump files.

We provide Guided Data Onboarding for the following deployment scenarios:

You can also read more in the Splunk Add-on for Symantec Endpoint Protection manual.

Turn off Guided Data Onboarding

If you do not want the Guided Data Onboarding feature to appear in Splunk Web, go to your $SPLUNK_HOME/etc/apps/splunk_gdi/default/gdi_settings.conf file and set the allowWebService variable to false.

Splunk Documentation

Splunk has a wide range of documentation, including tutorials, use cases, and manuals for administrators, developers, and users:

  • For a high-level introduction to Splunk Enterprise software, see the Splunk Enterprise Overview manual.
  • For more information about Splunk Cloud, see the Splunk Cloud User manual.
  • If you are a system admin who has inherited a Splunk Enterprise deployment, or if you are uncertain what type of deployment scenario you have, see the Inheriting a Splunk Enterprise Deployment manual.
  • For additional information about getting data into the Splunk software, see the Getting Data In manual.
  • For additional information about installing add-ons, see the Splunk Add-ons manual.


You can find additional information on the Splunk Documentation site.

Splunk Community

Through Splunk Answers, Slack, user groups, and blogs, you can find other users with whom to chat. Find everything you need to connect with the Splunk Community on the Community Portal.

Splunk Education

To learn more about Splunk features and how to use them, see the Splunk selection of Splunk Education videos and classes.

Last modified on 09 June, 2023
Verify your SEP data  

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters