Splunk Enterprise Security

Enterprise Security, Staging Servers and Splunk v6.4

Currently looking to upgrade from Splunk 6.3.1 to Splunk 6.4. We run a multi-sited Clustered environment with Enterprise Security 4.0.

Before upgrading I'd like to know if we are still required to stage our apps on a staging server before they are deployed to our Search head Cluster?

Information listed in "Installing a Technology Add-ons" under the heading "Distributing add-ons in a search head cluster with Splunk Enterprise 6.4" suggest we may not have to do this anymore.

Is anyone able to verify or have I misinterpreted this?

Thanks in Advance

0 Karma
1 Solution

Splunk Employee
Splunk Employee

If you are using a SHC, you will still need to stage the apps, and then deploy them using the deployer to the the search head cluster.

ES adds a bit more difficulty into this, as there are some components in ES that are not able to be configured via the SHC, and these need to be configured via the DEV/Staging instance. Things such as modular inputs and threatlists still need to be configured outside of the SHC.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

If you are using a SHC, you will still need to stage the apps, and then deploy them using the deployer to the the search head cluster.

ES adds a bit more difficulty into this, as there are some components in ES that are not able to be configured via the SHC, and these need to be configured via the DEV/Staging instance. Things such as modular inputs and threatlists still need to be configured outside of the SHC.

View solution in original post

0 Karma

Path Finder

I thought the threatlists are pulled down by the individual Search Heads within the cluster? (from the internet)

0 Karma

Hi esix, thanks for your reply. Using the Deployer to push the apps to the SHC is fine. I was more hoping from the link attatched we no longer had to use a staging server before pushing the apps from the Deployer.

Using a staging server in such a large environment becomes tedious. Would you be able to confirm the following?

  1.   Is Staging Server required for every-time installation/update of Addons? (i.e. if we need to enable a new data collection of  TA_Unix, does it have to be published in Staging Server and then pushed to deployer?)
    
  2.   Is there a way to determine which “configuration item” require Staging Server as mandatory? (or every single update needs to follow Staging Server -> deployer model)
    
0 Karma

Sorry - I don't have enough Karma to post links in my questions. This may work - vhttp://docs.splunk.com/Documentation/ES/4.1.1/Install/InstallTechnologyAdd-ons

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!