Splunk Enterprise Security

Enterprise Security app

hazem
Path Finder

We have a cluster with two search heads and two indexers. We need to install the Enterprise Security app on the search heads. The question arises regarding the summary index and indexes created during the Enterprise Security installation, like IOC and notable. Should these indexes be created with the same names on our indexers?

Labels (1)
0 Karma
1 Solution

jawahir007
Communicator

There is an inbuilt package available with in Splunk ES.. You can follow the below steps to configure the Enterprise Security specific indexes in to the indexers

  1. On the Enterprise Security menu bar, select Configure > General > General Settings.
  2. Scroll to Distributed Configuration Management, and click Download Splunk_TA_ForIndexers .
  3. Select the contents for the package. You must select at least one of the following options to download the package.
    1. (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package.
    2. (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package.
  4. Click Download the Package to create and download the Splunk_TA_ForIndexers.
  5. After the add-on downloads, you can modify the contents of the package.
    For example, modify indexes.conf to conform with site retention settings and other storage options.
  6. Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.

 

Refer this link for more details : https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA...

View solution in original post

0 Karma

hazem
Path Finder

many thanks @jawahir007 

0 Karma

jawahir007
Communicator

There is an inbuilt package available with in Splunk ES.. You can follow the below steps to configure the Enterprise Security specific indexes in to the indexers

  1. On the Enterprise Security menu bar, select Configure > General > General Settings.
  2. Scroll to Distributed Configuration Management, and click Download Splunk_TA_ForIndexers .
  3. Select the contents for the package. You must select at least one of the following options to download the package.
    1. (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package.
    2. (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package.
  4. Click Download the Package to create and download the Splunk_TA_ForIndexers.
  5. After the add-on downloads, you can modify the contents of the package.
    For example, modify indexes.conf to conform with site retention settings and other storage options.
  6. Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.

 

Refer this link for more details : https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA...

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...