https://community.splunk.com/t5/All-Apps-and-Add-ons/Tenable-App-for-Splunk-use-with-Heavy-Forwarder/m-p/746259#M81922 <P>Depends on what you means by "require HF". Modular inputs must be run on a "full" Splunk Enterprise instance. So in this meaning - it requires HF because it won't run on UF. Technically you can run the modular input on an All-in-one instance without spinning up a separate HF. While you could run it also directly on an indexer or SH, it's not a recommended architecture - those roles are best left alone with what they do.</P> Thu, 15 May 2025 14:45:53 GMT PickleRick 2025-05-15T14:45:53Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Tenable-App-for-Splunk-use-with-Heavy-Forwarder/m-p/746249#M81920 <P>I am trying to set up the Tenable App for Splunk and the documentation is a bit vague about whether it requires a Heavy Forwarder to operate.&nbsp; I found an old post from 2017 that mentioned it did, but it was referencing older versions of Nessus than what is used in my environment.&nbsp; Does anyone know if a heavy forwarder is still required for the&nbsp; Tenable App for Splunk?</P> Thu, 15 May 2025 13:27:35 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Tenable-App-for-Splunk-use-with-Heavy-Forwarder/m-p/746249#M81920 gheller 2025-05-15T13:27:35Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Tenable-App-for-Splunk-use-with-Heavy-Forwarder/m-p/746251#M81921 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310201">@gheller</a>&nbsp;Inputs must be configured to run from the Heavy Forwarder.&nbsp;<SPAN>The&nbsp;</SPAN>Search Head<SPAN>&nbsp;is used for dashboards and adaptive response actions, but it relies on data collected and forwarded by the Heavy Forwarder.</SPAN></P><P><SPAN><SPAN class="">It's important to enable the KV Store on the Heavy Forwarder to support the add-on's functionality</SPAN></SPAN></P><P><SPAN><A href="https://docs.tenable.com/integrations/Splunk/Content/PDF/Tenable_and_Splunk_Integration_Guide.pdf" target="_blank" rel="noopener">Tenable and Splunk Integration Guide</A>&nbsp;</SPAN></P><P><SPAN>The&nbsp;<SPAN class="">Tenable</SPAN>&nbsp;Add-on has specific purposes for each Splunk component.</SPAN></P><P><SPAN><A href="https://docs.tenable.com/integrations/Splunk/Content/Components.htm" target="_blank" rel="noopener">Components</A></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kiran_panchavat_0-1747317791074.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/39019iF71532F44348B501/image-size/medium?v=v2&amp;px=400" role="button" title="kiran_panchavat_0-1747317791074.png" alt="kiran_panchavat_0-1747317791074.png" /></span></P><P>Install the add-on on both the Heavy Forwarder and the Search Head but create data inputs only on the heavy forwarder.&nbsp;<A href="https://splunkbase.splunk.com/app/4060" target="_blank" rel="noopener">https://splunkbase.splunk.com/app/4060</A>&nbsp;</P><P>Install the app exclusively on the Search Head.&nbsp;<A href="https://splunkbase.splunk.com/app/4061" target="_blank" rel="noopener">https://splunkbase.splunk.com/app/4061</A>&nbsp;</P> Thu, 15 May 2025 14:09:36 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Tenable-App-for-Splunk-use-with-Heavy-Forwarder/m-p/746251#M81921 kiran_panchavat 2025-05-15T14:09:36Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Tenable-App-for-Splunk-use-with-Heavy-Forwarder/m-p/746259#M81922 <P>Depends on what you means by "require HF". Modular inputs must be run on a "full" Splunk Enterprise instance. So in this meaning - it requires HF because it won't run on UF. Technically you can run the modular input on an All-in-one instance without spinning up a separate HF. While you could run it also directly on an indexer or SH, it's not a recommended architecture - those roles are best left alone with what they do.</P> Thu, 15 May 2025 14:45:53 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Tenable-App-for-Splunk-use-with-Heavy-Forwarder/m-p/746259#M81922 PickleRick 2025-05-15T14:45:53Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Tenable-App-for-Splunk-use-with-Heavy-Forwarder/m-p/746263#M81923 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310201">@gheller</a>&nbsp;</P><P>&nbsp;The latest docs are at&nbsp;<A href="https://docs.tenable.com/integrations/Splunk/Content/Welcome.htm" target="_blank" rel="noopener">https://docs.tenable.com/integrations/Splunk/Content/Welcome.htm</A>&nbsp;which they have recently updated, there is a great diagram to show where things should be installed:</P><DIV class=""><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="livehybrid_0-1747321214213.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/39021i88886EBFC24934F9/image-size/medium?v=v2&amp;px=400" role="button" title="livehybrid_0-1747321214213.png" alt="livehybrid_0-1747321214213.png" /></span><P>&nbsp;</P>&nbsp;<DIV class="">&nbsp;<P><IMG border="0" /></P><P>In short, the&nbsp;<A href="https://splunkbase.splunk.com/app/4060" target="_self">Tenable Add-On for Splunk</A>&nbsp;should be installed on your SH and HF (with inputs created on HF, or pushed out via your deployment server to HF if appropriate) and then install the&nbsp;<A href="https://splunkbase.splunk.com/app/4061" target="_self">Tenable App for Splunk&nbsp;on just the SH).</A></P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;<STRONG>Did this answer help you?<SPAN>&nbsp;If so, please consider:</SPAN></STRONG></SPAN></P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification<P>Your feedback encourages the volunteers in this community to continue contributing</P></LI></UL></DIV></DIV> Thu, 15 May 2025 15:00:53 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Tenable-App-for-Splunk-use-with-Heavy-Forwarder/m-p/746263#M81923 livehybrid 2025-05-15T15:00:53Z