Splunk Enterprise Security

Best practice with TAs in distributed environment.

Splunker
Communicator

Folks,

I have 2 Splunk search-heads, one with Enterprise-Security, and a vanilla (non-ES) Search-Head for general search in a distributed setup.

When installing another distributed app, lets say, Splunk for UNIX on my non-ES SH, is it best-practice to deploy the Splunk for UNIX TA on my ES Search-Head?

The documentation of distributed apps never really says if one should install the TA on other SHs (i always wondered if that was due to Search-Head Pooling)?

What is the best practice in this scenario? I would love my non-ES SH to show UNIX data from my ES SH which has Splunk for UNIX deployed on it..

Thanks.

0 Karma
1 Solution

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

TA's are simple apps that can take care of feeding data in and mapping that data to the Common Information Model. Feeding data in isn't always required, because many data sources are easily captured with a file or network input, or via another App like DB Connect. However, if pre-parsing is required, such as for large XML files, or a script or modular input is needed, such as for API derived data, the TA is the place for that work. All TAs should also provide the field extractions, lookups, and eventtypes needed to map data to the CIM. That means there isn't a one-size-fits-all answer; you might want it in various locations for feeding, or mapping, or both.

In ES's case, we do think you should have Splunk_TA_nix and we include it in the bundle 🙂

View solution in original post

Splunker
Communicator

Many thanks Jack! I forgot it's bundled in ES, and i also appreciate your point that "it depends" when deciding to install a TA on alternate SHs depending on what other distributed apps are installed in a particular environment.

But i think i have a better understanding now, so thanks 🙂

Chris.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

TA's are simple apps that can take care of feeding data in and mapping that data to the Common Information Model. Feeding data in isn't always required, because many data sources are easily captured with a file or network input, or via another App like DB Connect. However, if pre-parsing is required, such as for large XML files, or a script or modular input is needed, such as for API derived data, the TA is the place for that work. All TAs should also provide the field extractions, lookups, and eventtypes needed to map data to the CIM. That means there isn't a one-size-fits-all answer; you might want it in various locations for feeding, or mapping, or both.

In ES's case, we do think you should have Splunk_TA_nix and we include it in the bundle 🙂

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...