Splunk® Enterprise

Monitoring Splunk Enterprise

About Splunk Assist

Splunk Assist brings the power of Splunk Cloud management insights to self-managed Splunk Enterprise deployments to analyze and continually evaluate security posture, assisting administrators with cloud-powered recommendations to change configurations to enhance security.

Splunk Assist uses support usage data to generate insights into your deployment, and auto-updates itself to provide the latest information that you can use to ensure that your deployment operates at peak security, performance, and compliance.

Splunk Assist operates as a part of Monitoring Console. It comes with Splunk Enterprise version 9.0 and higher, and you do not have to download or install anything to use it. See the system requirements later in this topic for specifics on what you need to get started.

Splunk Assist comes with several helper packages:

  • App Assist, which monitors the Splunk apps in your deployment to ensure they are up to date and secure
  • Certificate Assist, which provides insight on the public key certificates that you have installed in your Splunk Enterprise deployment and provides guidance according to Splunk security best practice
  • Config Assist, which monitors the configurations in your deployment and provides insights about those configurations according to Splunk best practice

For the latest information on any known issues with Splunk Assist, see the known issues.

System requirements for Splunk Assist

Splunk Assist comes with Splunk Enterprise as part of the Monitoring Console. Your Splunk Enterprise license lets you use it at no additional cost. You must activate Splunk Assist before you can use it to ensure that Splunk provisions a unique set of Splunk Cloud resources for your deployment.

Requirements for Splunk Assist

Splunk Assist has the following requirements for use with your Splunk Enterprise deployment. These are the minimum requirements and are above the requirements that you need for Splunk Enterprise itself. The helper packages that come with Splunk Assist have additional requirements.

  • The Splunk Enterprise instances in your deployment must meet the CPU, memory, and disk space requirements that appear in the system requirements topic in the Installation Manual
  • The instance on which you run Splunk Assist must have an additional 10 percent of available disk space over the requirements that appear in the Installation Manual
  • The operating system on the instance where you run Splunk Assist must be either Linux or Windows. Splunk does not support running Splunk Assist on other operating systems
  • The version of Splunk Enterprise on the instance where you run Splunk Assist must be 9.0.0 or higher. Older versions of Splunk Enterprise can't run Splunk Assist, even though they have Monitoring Console
  • You must enable support usage data in your deployment. Splunk Assist doesn't work if support usage data is not available
  • You must run Splunk Assist on an instance that runs Monitoring Console. Splunk Assist doesn't work on instances that don't run Monitoring Console
  • You must use Splunk Assist with a Splunk Enterprise volume-based or infrastructure license. Splunk Assist doesn't work with development, trial, or free licenses.

Requirements for Splunk Assist helper packages

There are additional requirements that come with the Certificate Assist and Config Assist helper packages that come with Splunk Assist,

  • The instance on which you run Splunk Assist must have the most up-to-date certificate authority certificate package (ca-certificates) for its operating system installed
  • Your deployment must have a minimum of one connected forwarder and two indexers to get insights from Certificate Assist
  • You must have already secured communication between your indexers and forwarders using transport layer security (TLS) certificates. For instructions on how to do this, see Configure Splunk indexing and forwarding to use TLS certificates in the Securing Splunk Enterprise Manual.
  • You must enable the capture of certificate logs on all indexers in your deployment. Specifically, your default Splunk Enterprise logging level must be at INFO or lower. See Enable debug logging in the Troubleshooting Manual for details on how to configure Splunk logging.

Where in your Splunk Enterprise deployment you can run Splunk Assist

While Splunk Assist collects and presents insights from all Splunk Enterprise instances in your deployment, there are some limits to where you can access Splunk Assist from Monitoring Console.

Supported Splunk Enterprise instances for using Splunk Assist

You can use Splunk Assist from Monitoring Console on the following instance types:

  • Standalone search heads
  • Search head deployers
  • Indexer cluster managers
  • License managers

Unsupported Splunk Enterprise instances for using Splunk Assist

You can't use Splunk Assist on the following instance types:

  • indexers
  • indexer cluster peers
  • search head cluster nodes
  • any kind of forwarder
  • any Splunk Enterprise instance that has the Federal Information Processing Standards (FIPS) mode enabled
  • any Splunk Enterprise instance that Splunk Assist supports where you have not enabled support usage data
  • any Splunk Cloud Platform instance

Splunk Assist performance impact on Splunk Enterprise environments

Because Splunk Assist uses Splunk usage data for a majority of the insights it provides, your Splunk Enterprise environment already performs some of the work that is necessary to generate these insights, if you remain opted-in to share that telemetry with Splunk. While Splunk Assist does perform additional searches and its helper packages do run specific processes for these insights, these processes do not result in appreciable degradation of performance for your Splunk Enterprise infrastructure as a result of using Splunk Assist.

For information on how Splunk uses usage data and how to opt in to sharing that data for use by Splunk Assist, see Share performance and usage data in the Admin Manual.

Get started with Splunk Assist

Configure your Splunk deployment to use Splunk Assist

Last modified on 31 October, 2023
Investigate feature health status changes   Configure your Splunk Enterprise deployment to use Splunk Assist

This documentation applies to the following versions of Splunk® Enterprise: 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters