Thanks for the response. I am trying to see what Splunk can do as a SIEM with my environment. So at the moment its setup as an all-in-one on a Windows VM.

@acisac Since you’re running Splunk ES in an all‑in‑one Windows VM, that is a perfectly valid way to get familiar with the product and explore its capabilities. Just keep in mind that it's not recommended to keep Windows as a long‑term platform for Enterprise Security in production, so performance and scalability will be limited compared to a Linux‑based deployment. For evaluation purposes though, you will be able to see how correlation searches, dashboards, and investigations work. As you progress, I would encourage you to spin up at least one Linux VM for the core Splunk components and keep Windows VMs for forwarders, since that will give you a more realistic sense of how ES behaves in a supported architecture and help you avoid surprises when you move beyond proof‑of‑concept. Hope it clarifies.

>>

If this post addressed your question, you can:

• Give it karma to show appreciation 👍
• Mark it as the solution if it solved your issue ✔️
• Add a comment if you’d like more details ✏️

Acknowledging helpful answers keeps the community strong and motivates contributors to continue sharing their expertise.

>>

Technically, a windows-based ES instance can be enough for a PoC installation but:

1) Splunk ES is not supported on Windows search head clusters so if you went all in and your environment would grow in the future you'd have to migrate to Linux anyway.

2) Windows deployment server doesn't play nice with Unix clients so you'd probably want at least your DS to seat on a linux machine. And you're starting having heterogenous environment that way.

3) The main problem with ES PoC is data. You can't reliably test/demonstrate SIEM functionality without real-life events on which you could build at least a few detections. That requires proper data onboarding and proper ES configuration. Both of those aren't necessarily straightforward to be set up the way they should be .

So the first two reasons are for keeping away from Windows (but you can just spin up a linux VM within Hyper-V if Windows is your primary OS platform). And the third one is why you should involve a Partner.

One option for monitoring your network (it’s not SIEM) is InfoSec app https://splunkbase.splunk.com/app/4240
You can use it to see what is going on your assets and network, but as I said it hasn’t real SIEM functionality like do automatically correlating searches, find notables etc.
But for splunk noobies it is excellent tool to start monitoring.
Of course also it needs that you do 1st onboarding of needed data sources to get data to analyze it. As already said you can get help from your local splunk partner for it. They have also access to Splunk’s demo environments where they can demonstrate those to you.