Solved: Re: Tenable App for Splunk use with Heavy Forwarde...

gheller · ‎05-15-2025

I am trying to set up the Tenable App for Splunk and the documentation is a bit vague about whether it requires a Heavy Forwarder to operate. I found an old post from 2017 that mentioned it did, but it was referencing older versions of Nessus than what is used in my environment. Does anyone know if a heavy forwarder is still required for the Tenable App for Splunk?

livehybrid · ‎05-15-2025

Hi @gheller

The latest docs are at https://docs.tenable.com/integrations/Splunk/Content/Welcome.htm which they have recently updated, there is a great diagram to show where things should be installed:

In short, the Tenable Add-On for Splunk should be installed on your SH and HF (with inputs created on HF, or pushed out via your deployment server to HF if appropriate) and then install the Tenable App for Splunk on just the SH).

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing

View solution in original post

livehybrid · ‎05-15-2025

Hi @gheller

The latest docs are at https://docs.tenable.com/integrations/Splunk/Content/Welcome.htm which they have recently updated, there is a great diagram to show where things should be installed:

In short, the Tenable Add-On for Splunk should be installed on your SH and HF (with inputs created on HF, or pushed out via your deployment server to HF if appropriate) and then install the Tenable App for Splunk on just the SH).

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification
Your feedback encourages the volunteers in this community to continue contributing

PickleRick · ‎05-15-2025

Depends on what you means by "require HF". Modular inputs must be run on a "full" Splunk Enterprise instance. So in this meaning - it requires HF because it won't run on UF. Technically you can run the modular input on an All-in-one instance without spinning up a separate HF. While you could run it also directly on an indexer or SH, it's not a recommended architecture - those roles are best left alone with what they do.

kiran_panchavat · ‎05-15-2025

@gheller Inputs must be configured to run from the Heavy Forwarder. The Search Head is used for dashboards and adaptive response actions, but it relies on data collected and forwarded by the Heavy Forwarder.

It's important to enable the KV Store on the Heavy Forwarder to support the add-on's functionality

Tenable and Splunk Integration Guide

The Tenable Add-on has specific purposes for each Splunk component.

Components

Install the add-on on both the Heavy Forwarder and the Search Head but create data inputs only on the heavy forwarder. https://splunkbase.splunk.com/app/4060

Install the app exclusively on the Search Head. https://splunkbase.splunk.com/app/4061

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

Tenable App for Splunk use with Heavy Forwarder

configuration

installation

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation