topic Re: Add Enterprise Security to on prem clustered environment in Splunk Enterprise

Add Enterprise Security to on prem clustered environment

SplunkExplorer — Thu, 18 Jan 2024 13:50:48 GMT

Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.

As usual when I put a question here, let me share a minimal of context and assumption.

Environment:

A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
Currently, only one SH
Clustered indexers

Task:

Install and configure a SH with Splunk Enterprise Security.

Assumption:

I know the full installation procedure (doc + Splunk Enterprise Admin course)
I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:

> splunk edit cluster-config -mode searchhead -manager_uri https://<manager node address> -secret <cluster secret>

Questions:

This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
SH with ES component should be add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?

Re: Add Enterprise Security to on prem clustered environment

richgalloway — Thu, 18 Jan 2024 14:04:25 GMT

The ES SH should be kept separate and not joined with the existing SH into a cluster because: 1) you need at least 3 SHs to make a cluster; 2) SHs must be virgin to form a cluster; 3) ES doesn't play well with other apps and so needs to be on its own.

Re: Add Enterprise Security to on prem clustered environment

SplunkExplorer — Thu, 18 Jan 2024 14:15:43 GMT

Thanks a lot @richgalloway. Answer to Question 2 is exactly what I supposed.

Regarding point 1, is the syntax I posted is the one to use to "insert" ES on environment or should I use another one?

Re: Add Enterprise Security to on prem clustered environment

PickleRick — Thu, 18 Jan 2024 14:27:11 GMT

You install ES differently on a standalone SH and on a SHC. So you must either firstly set up a SHC (and for that you don't use an existing SH - you spin up a clear SH and join it to the SHC). Whether you want a SHC depends on your needs and expected workload. You can create a SHC (but again - you must create a new SHC and then possibly migrate some of your settings from existing standalone SH manually) and install ES on it. But just as well you could set up a dedicated SH just for ES use (and use the other SH for "normal" Splunk work). Both approaches have their pros and cons. Single SHC is bigger in minimal option (you need at least three SHs for the SHC and a deployer) but is probably easier to manage than two separate SHs - they can be painful to keep relevant configs in sync.

Re: Add Enterprise Security to on prem clustered environment

richgalloway — Thu, 18 Jan 2024 15:01:33 GMT

The syntax you gave is the right one for adding a new SH to a cluster, but you don't need it just to install ES on an SH. Create a new SH and install ES on it using the instructions in the ES manual.

Re: Add Enterprise Security to on prem clustered environment

SplunkExplorer_ — Fri, 19 Jan 2024 17:39:03 GMT

@SplunkExplorer wrote:
Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.
As usual when I put a question here, let me share a minimal of context and assumption.
Environment:
A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
Currently, only one SH
Clustered indexers
Task:
Install and configure a SH with Splunk Enterprise Security.
Assumption:
I know the full installation procedure (doc + Splunk Enterprise Admin course)
I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:

> splunk edit cluster-config -mode searchhead -manager_uri https://<manager node address> -secret <cluster secret>

Questions:

This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
SH with ES component should be add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?

@SplunkExplorer wrote:
Hi Splunkers, I have a doubt about setting for Splunk Enterprise Security.
As usual when I put a question here, let me share a minimal of context and assumption.
Environment:
A completely on prem Splunk Enterprise (no Slunk Cloud SaaS).
Currently, only one SH
Clustered indexers
Task:
Install and configure a SH with Splunk Enterprise Security.
Assumption:
I know the full installation procedure (doc + Splunk Enterprise Admin course)
I know how to manage a cluster environment (doc + Architect course). For example, I know that if I have to set a Splunk instance as SH I can use, from CLI:

> splunk edit cluster-config -mode searchhead -manager_uri https://<manager node address> -secret <cluster secret>

Questions:

This syntax is still valid to add a SH with ES installed on it? The doubt is if the ES presence should lead me to use a different approach to tell "Hey, SH wth ES: indexers to query are those".
SH with ES component should be add as single SH (so, decoupled from already existing SH) or should I create a SH Cluster with normal SH + ES ES?

Check DM.