topic Re: Add-on installation on Search Head or on Indexer? in Installation

Add-on installation on Search Head or on Indexer?

b_chris21 — Wed, 31 Mar 2021 15:49:19 GMT

Hello,

my distributed environment consists of:

1) Splunk Enterprise Security (Deployment Server/Search Head) - RHEL7.9
2) Splunk Indexer (Deployment Client) - RHEL7.9
3) WEF server (Windows Server 2016) which collects Windows Event Logs and sysmon events from systems that belong to the domain. There is a Splunk UF installed which forwards the events to Splunk Indexer (2).

Question:

I want to keep the data to indexer (2), but I want to be able to populate the respective datamodels in Splunk ES and get notable events for suspicious traffic in the domain.

Where do I have to install the necessary addons that will normalize the data? On Splunk ES (1) or Splunk Indexer (2) ?

Thank you in advance,

Chris

Re: Add-on installation on Search Head or on Indexer?

manjunathmeti — Wed, 31 Mar 2021 15:53:18 GMT

hi @b_chris21,

Configurations and updates needed for the data model to normalize the data are done on search heads only.
You need to deploy the add-ons on search head - Splunk ES (1).

If this reply helps you, a like would be appreciated.

Re: Add-on installation on Search Head or on Indexer?

richgalloway — Wed, 31 Mar 2021 15:55:20 GMT

Most add-ons should be installed on BOTH the indexer and the search head. That's because they often have some properties that apply at index time and others that apply at search time.

Re: Add-on installation on Search Head or on Indexer?

b_chris21 — Wed, 31 Mar 2021 15:57:25 GMT

Thanks for your rapid reply.

What is the best solution to bring indexed data in Splunk ES and populate lookups? I see Sec-Kit app is built to do that. Shall I install Sec-Kit in Splunk ES directly?

Thanks again.

Re: Add-on installation on Search Head or on Indexer?

b_chris21 — Wed, 31 Mar 2021 15:59:41 GMT

Thanks for your reply. I see a lot of posts though mentioning that installing addons (eg CIM) on indexers is not recommended as this might cause performance issue to an already stressed indexer. Eg. it might cause an additional attempt for datamodel acceleration.

What is the best practice?

Thanks

Re: Add-on installation on Search Head or on Indexer?

richgalloway — Wed, 31 Mar 2021 17:30:35 GMT

That depends on the add-on, which is why each should be examined (or at least read the docs) before it is installed.

Datamodel accelerations are initiated by search heads rather than indexers.