All Apps and Add-ons

Where to install Seach Activity app?

lassel
Communicator

From the documentation page:
- Do not install on a Search Head Cluster. This app leverages local TSIDX that are not supported under clustering.
- Be cautious installing on a user search head. This app creates a TSIDX with audit data, but it is not possible to apply permissions to a TSIDX file (a great new feature with data models!), so a user who realizes that it is there could pull audit data.

Where WOULD you recommend to install the app?

We are pretty new to Splunk. We have a small cluster with a couple search heads and a couple of indexers.

Tags (1)
0 Karma
1 Solution

David
Splunk Employee
Splunk Employee

You should generally install the Search Activity App on a search head that has distributed search set up to all of the indexers, where your search heads should forward your logs.

First preference is to install it onto an admin box that users don't have access to, such as SOS or the DMC.

Second preference would be to install it onto a normal search head, but set permissions so that non-admins can't see it (while they could directly query the tsidx... they'd have to know it's there and be familiar with tstats, and even in that extremely unlikely case they would only be able to see what other users are searching for). The app will, in fact, require that you adjust the permissions so that it doesn't sit at the default of global all read.

Third preference would be to set up a VM where admins can run tests, run SOS, DMC, etc.

If you only have search heads that are user-facing, and you are really concerned about very advanced and determined users being able to see what other users are searching, then it's probably reasonable to install the app on an indexer provided that it has distributed search set up. This is pretty atypical, though, and not generally recommended practice because it makes one indexer different from the others. You should try to avoid installing UI-apps directly on indexers because it will introduce additional load (albeit small load from this app), could introduce new props/transforms (again, not an issue for this app), and is probably not QA'd.

View solution in original post

David
Splunk Employee
Splunk Employee

You should generally install the Search Activity App on a search head that has distributed search set up to all of the indexers, where your search heads should forward your logs.

First preference is to install it onto an admin box that users don't have access to, such as SOS or the DMC.

Second preference would be to install it onto a normal search head, but set permissions so that non-admins can't see it (while they could directly query the tsidx... they'd have to know it's there and be familiar with tstats, and even in that extremely unlikely case they would only be able to see what other users are searching for). The app will, in fact, require that you adjust the permissions so that it doesn't sit at the default of global all read.

Third preference would be to set up a VM where admins can run tests, run SOS, DMC, etc.

If you only have search heads that are user-facing, and you are really concerned about very advanced and determined users being able to see what other users are searching, then it's probably reasonable to install the app on an indexer provided that it has distributed search set up. This is pretty atypical, though, and not generally recommended practice because it makes one indexer different from the others. You should try to avoid installing UI-apps directly on indexers because it will introduce additional load (albeit small load from this app), could introduce new props/transforms (again, not an issue for this app), and is probably not QA'd.

chimell
Motivator

Hi lassel
I suggest you to install your Search Activity app in indexers of your system .

David
Splunk Employee
Splunk Employee

You should not do this in a typical setup.

Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...