All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Tenable App for Splunk use with Heavy Forwarder

gheller
Engager
‎05-15-2025 06:27 AM

I am trying to set up the Tenable App for Splunk and the documentation is a bit vague about whether it requires a Heavy Forwarder to operate.  I found an old post from 2017 that mentioned it did, but it was referencing older versions of Nessus than what is used in my environment.  Does anyone know if a heavy forwarder is still required for the  Tenable App for Splunk?

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎05-15-2025 08:00 AM

Hi @gheller 

 The latest docs are at https://docs.tenable.com/integrations/Splunk/Content/Welcome.htm which they have recently updated, there is a great diagram to show where things should be installed:

livehybrid_0-1747321214213.png

 

 
 

In short, the Tenable Add-On for Splunk should be installed on your SH and HF (with inputs created on HF, or pushed out via your deployment server to HF if appropriate) and then install the Tenable App for Splunk on just the SH).

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

    Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

livehybrid
SplunkTrust
SplunkTrust
‎05-15-2025 08:00 AM

Hi @gheller 

 The latest docs are at https://docs.tenable.com/integrations/Splunk/Content/Welcome.htm which they have recently updated, there is a great diagram to show where things should be installed:

livehybrid_0-1747321214213.png

 

 
 

In short, the Tenable Add-On for Splunk should be installed on your SH and HF (with inputs created on HF, or pushed out via your deployment server to HF if appropriate) and then install the Tenable App for Splunk on just the SH).

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

    Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎05-15-2025 07:45 AM

Depends on what you means by "require HF". Modular inputs must be run on a "full" Splunk Enterprise instance. So in this meaning - it requires HF because it won't run on UF. Technically you can run the modular input on an All-in-one instance without spinning up a separate HF. While you could run it also directly on an indexer or SH, it's not a recommended architecture - those roles are best left alone with what they do.

0 Karma
Reply
Solved! Jump to solution

kiran_panchavat
Champion
‎05-15-2025 07:01 AM

@gheller Inputs must be configured to run from the Heavy Forwarder. The Search Head is used for dashboards and adaptive response actions, but it relies on data collected and forwarded by the Heavy Forwarder.

It's important to enable the KV Store on the Heavy Forwarder to support the add-on's functionality

Tenable and Splunk Integration Guide 

The Tenable Add-on has specific purposes for each Splunk component.

Components

kiran_panchavat_0-1747317791074.png

Install the add-on on both the Heavy Forwarder and the Search Head but create data inputs only on the heavy forwarder. https://splunkbase.splunk.com/app/4060 

Install the app exclusively on the Search Head. https://splunkbase.splunk.com/app/4061 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...