Solved: Enterprise Security app

hazem

We have a cluster with two search heads and two indexers. We need to install the Enterprise Security app on the search heads. The question arises regarding the summary index and indexes created during the Enterprise Security installation, like IOC and notable. Should these indexes be created with the same names on our indexers?

jawahir007

There is an inbuilt package available with in Splunk ES.. You can follow the below steps to configure the Enterprise Security specific indexes in to the indexers

On the Enterprise Security menu bar, select Configure > General > General Settings.
Scroll to Distributed Configuration Management, and click Download Splunk_TA_ForIndexers .
Select the contents for the package. You must select at least one of the following options to download the package.
1. (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package.
2. (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package.
Click Download the Package to create and download the Splunk_TA_ForIndexers.
After the add-on downloads, you can modify the contents of the package.
For example, modify indexes.conf to conform with site retention settings and other storage options.
Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.

Refer this link for more details : https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA...

View solution in original post

hazem

many thanks @jawahir007

jawahir007

There is an inbuilt package available with in Splunk ES.. You can follow the below steps to configure the Enterprise Security specific indexes in to the indexers

On the Enterprise Security menu bar, select Configure > General > General Settings.
Scroll to Distributed Configuration Management, and click Download Splunk_TA_ForIndexers .
Select the contents for the package. You must select at least one of the following options to download the package.
1. (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package.
2. (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package.
Click Download the Package to create and download the Splunk_TA_ForIndexers.
After the add-on downloads, you can modify the contents of the package.
For example, modify indexes.conf to conform with site retention settings and other storage options.
Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.

Refer this link for more details : https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA...

Enterprise Security app

installation

Meet Duke Cyberwalker | A hero’s journey with Splunk

The Future of Splunk Search is Here - See What’s New!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today