I'm new to splunk but I have used other SIEM but they have all been on-prem so I could actually manage the product from start to finish. I opened a ticket to have the add-on installed and that was finished this morning, but I have no idea what to do now. I did some googling and searching here but a lot of the material I found doesn't look like what I'm seeing so I wanted to see if anyone here had similar issues or knows of any documentation I can read through that is you found helpful. There is also the chance that I am misunderstanding what an add-on does.
For reference I had these three add-ons installed:
Splunk Common Information Model
Splunk Add-on for Cisco ASA
Splunk Add-on for Microsoft Active Directory
Splunk Add-on for Microsoft Windows
Hi, I'm going to throw some docs at you. Add-ons provide inputs for specific technologies. They also provide field extractions, event types, and lookups to map to the Common Information Model.
See the general Splunk Add-ons manual for information about what add-ons are, how they relate to the Common Information Model, how to install them, and more. You might need to install them on your forwarders. See Install an add-on in Splunk Cloud for more information about this.
Each of the add-ons you mention has its own specific documentation that describes how to configure and use the software:
Hope this is useful.
Splunk's documentation theme seems to be "you need to have first done the thing before the documentation makes any sense", this approach is infuriating. Documents contain no images to keep you on track, no detailed explanation of what needs to be done, and too many references to external sources. I can't actually learn anything from a single page of Splunk documentation it is truly some of the worst writing I have ever encountered. I have read the docs you supplied that is why I am here. What I'm missing is, what do I do now? How do I test it? Do I have to install this on a forwarder vs the search head? How do I know it works, can I prove to my supervisor that this product has value?
I am sorry you have found the documentation to be so frustrating. My interpretation of your question was that you were asking for pointers to the docs, my apologies for adding to your frustration!
The thing is, the answer to your question about deployment is "it depends." As described in Where to install Splunk add-ons, you can install an add-on in any tier of your Splunk deployment. The actual contents of the add-on dictate whether it needs to act on the search tier, the indexing tier, or the forwarders.
The documentation for each add-on contains the specific details about installation and configuration.
You know an add-on is working when you can search the relevant source type and get correct results and field extractions.
I am going to have someone reach out to you to see if they can guide you more specifically.
try and think about add-ons (this is not 100% accurate all the time) as back end transparent configurations that massages the data and makes it easier for splunk to report on.
all you have to do now, is bring the data in to your splunk cloud, and start searching it.
hope i understood your question