Archive
Highlighted

Do I need to install the Splunk Add-on for Check Point OPSEC LEA on both search heads and indexers running Splunk 6.4.1?

Path Finder

Hi,

I am currently working on a 6.4.1 environment and I need to use the Splunk Add-on for Check Point OPSEC LEA, but this is only available for 6.3.x.
What I did for now is to set up a 6.3.x Heavy Forwarder and installed the OPSEC Add-on there -> everything fine.

But according to the documentation, I have to install it on the Search heads and Indexers as well. Do I have to downgrade them all, or can I just install the app? I assume indexers and search heads only use parts of the app that should work on Splunk 6.4.1 as well - like props.conf, transforms.conf, lookups, ... Is this correct?

Thank you !

0 Karma
Highlighted

Re: Do I need to install the Splunk Add-on for Check Point OPSEC LEA on both search heads and indexers running Splunk 6.4.1?

Contributor

You should be fine installing the TA on 6.4 for the field extractions.

View solution in original post

0 Karma
Highlighted

Re: Do I need to install the Splunk Add-on for Check Point OPSEC LEA on both search heads and indexers running Splunk 6.4.1?

Path Finder

That's what i wanted to hear 🙂 thx

0 Karma
Highlighted

Re: Do I need to install the Splunk Add-on for Check Point OPSEC LEA on both search heads and indexers running Splunk 6.4.1?

SplunkTrust
SplunkTrust

Keep in mind a new version of the OPSEC LEA app should be released any time soon so might want to wait a few weeks.
See this: https://answers.splunk.com/answers/407882/will-the-opsec-lea-add-on-be-updated-to-support-sp.html

0 Karma