Solved: Re: Do I need to install the Splunk Add-on for Che...

pinVie · ‎06-17-2016

Hi,

I am currently working on a 6.4.1 environment and I need to use the Splunk Add-on for Check Point OPSEC LEA, but this is only available for 6.3.x.
What I did for now is to set up a 6.3.x Heavy Forwarder and installed the OPSEC Add-on there -> everything fine.

But according to the documentation, I have to install it on the Search heads and Indexers as well. Do I have to downgrade them all, or can I just install the app? I assume indexers and search heads only use parts of the app that should work on Splunk 6.4.1 as well - like props.conf, transforms.conf, lookups, ... Is this correct?

Thank you !

jgedeon120 · ‎06-17-2016

You should be fine installing the TA on 6.4 for the field extractions.

View solution in original post

javiergn · ‎06-17-2016

Keep in mind a new version of the OPSEC LEA app should be released any time soon so might want to wait a few weeks.
See this: https://answers.splunk.com/answers/407882/will-the-opsec-lea-add-on-be-updated-to-support-sp.html

jgedeon120 · ‎06-17-2016

You should be fine installing the TA on 6.4 for the field extractions.

pinVie · ‎06-17-2016

That's what i wanted to hear 🙂 thx

Do I need to install the Splunk Add-on for Check Point OPSEC LEA on both search heads and indexers running Splunk 6.4.1?

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?