I've been asked to deploy the Symantec Security Analytics (SA) App For Splunk in an environment that consists of a SHC and a clustered indexing tier.

The SA admin has provided me with a couple of TGZ files (SymantecSecurityAnalytics7.2-11.tgz and TA-symantec-sa-11.tgz) and with a 3 page PDF that claims to be an "Install Guide". The PDF provides a rudimentary set of instructions, but itr's clearly geared towards a installation on a single-instance Splunk deployment. I also found this PDF on Symtantec's site but it too is geared towards to single-instance deployment.

Has anyone successfuly installed and configured the App (and TA) in a distributed environment with a SHC and, if so, how?

On a related note, the PDF says to modify the two Workflow Actions by replacing the default IP address (127.0.0.1) in the URI with the IP address of "the sensor" (emphasis added by me) - but the SA admin says that there are multiple SA sensors so it's not clear what to do. Apparently the sensors sense different things so we can't (we believe) query just one sensor. The SA admin has suggested using the address of the "Central Management Console" (CMC) - does anyone know if this will work?