Solved: Enterprise Security app

hazem · ‎09-17-2024

We have a cluster with two search heads and two indexers. We need to install the Enterprise Security app on the search heads. The question arises regarding the summary index and indexes created during the Enterprise Security installation, like IOC and notable. Should these indexes be created with the same names on our indexers?

jawahir007 · ‎09-17-2024

There is an inbuilt package available with in Splunk ES.. You can follow the below steps to configure the Enterprise Security specific indexes in to the indexers

On the Enterprise Security menu bar, select Configure > General > General Settings.
Scroll to Distributed Configuration Management, and click Download Splunk_TA_ForIndexers .
Select the contents for the package. You must select at least one of the following options to download the package.
1. (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package.
2. (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package.
Click Download the Package to create and download the Splunk_TA_ForIndexers.
After the add-on downloads, you can modify the contents of the package.
For example, modify indexes.conf to conform with site retention settings and other storage options.
Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.

Refer this link for more details : https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA...

View solution in original post

hazem · ‎09-17-2024

many thanks @jawahir007

jawahir007 · ‎09-17-2024

There is an inbuilt package available with in Splunk ES.. You can follow the below steps to configure the Enterprise Security specific indexes in to the indexers

On the Enterprise Security menu bar, select Configure > General > General Settings.
Scroll to Distributed Configuration Management, and click Download Splunk_TA_ForIndexers .
Select the contents for the package. You must select at least one of the following options to download the package.
1. (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package.
2. (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package.
Click Download the Package to create and download the Splunk_TA_ForIndexers.
After the add-on downloads, you can modify the contents of the package.
For example, modify indexes.conf to conform with site retention settings and other storage options.
Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.

Refer this link for more details : https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA...

Enterprise Security app

installation

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?