topic Re: How to deploy the Splunk App for Enterprise Security in an Indexer and Search Head Clustering environment? in Splunk Enterprise Security

How to deploy the Splunk App for Enterprise Security in an Indexer and Search Head Clustering environment?

masiddiqu — Thu, 23 Apr 2015 09:21:39 GMT

Hi,

I am trying to simulate a cluster environment for the Splunk App for Enterprise Security. The setup is:

-Two Indexers in a cluster with Rep Factor =2 , search factor=2
-One search head for ES APP other one for third party apps.
-Dedicated Cluster Master & Deployer on a single machine.

I have installed the ES APP in the on the deployer and copied SA-ForIndexers, TA-*, Splunk_TA*, Splunk_SA* files to master-apps and pushed to the Indexer cluster. With this, it is able to create the indexes.

Would like to know what are all the directories i need to copy/Push to the ES APP search head node?
Do i need to create search head cluster, or just i can copy directly ES app related files for the search head?
How do I ensure that the search head sends all the data to the Indexer cluster?

Thanks
siddiqu.T

Re: How to deploy the Splunk App for Enterprise Security in an Indexer and Search Head Clustering environment?

esix_splunk — Thu, 23 Apr 2015 09:28:52 GMT

Indexer Clustering and Search Head Clustering are two separate and distinct features. You need to understand the basics of both in order to run ES in both. Based on your environment description, you do not have Search Head Clustering in mind.

Regarding Indexer Clustering, you need a working cluster before you install ES. Once you have a valid working clustered indexer environment, then you can install ES. There is a SA-ForIndexers that comes with ES, this would be placed on your Cluster Master and distributed to each indexer. This is not through the deployer, the deployer is used for SHC.

For SHC, again you need to understand how this works before you try and deploy ES on this. There is a large list of issues you need to be aware of and understand before you even attempt this. Make sure you read the documentation at :

http://docs.splunk.com/Documentation/ES/3.2.2/Install/AdvancedImp

Re: How to deploy the Splunk App for Enterprise Security in an Indexer and Search Head Clustering environment?

masiddiqu — Thu, 23 Apr 2015 09:40:43 GMT

Hi,

I have completed the Index cluster and pushed the SA-ForIndexesrs via cluster master to the indexers. The indexes are created on both indexers.

For the search Head cluster, would like to know what are all directories/files we need to push to the search head nodes via deployer.

Thanks
siddiqu.T

Re: How to deploy the Splunk App for Enterprise Security in an Indexer and Search Head Clustering environment?

esix_splunk — Thu, 23 Apr 2015 09:48:14 GMT

If you have SHC configured, you need 3 search heads, you can follow the Documentation for deploying ES in SHC. It will involve all SA-* SplunkforEnterpriseSecurity* DA-* folders.