Splunk Enterprise Security

Enterprise Security app

hazem
Path Finder

We have a cluster with two search heads and two indexers. We need to install the Enterprise Security app on the search heads. The question arises regarding the summary index and indexes created during the Enterprise Security installation, like IOC and notable. Should these indexes be created with the same names on our indexers?

Labels (1)
0 Karma
1 Solution

jawahir007
Communicator

There is an inbuilt package available with in Splunk ES.. You can follow the below steps to configure the Enterprise Security specific indexes in to the indexers

  1. On the Enterprise Security menu bar, select Configure > General > General Settings.
  2. Scroll to Distributed Configuration Management, and click Download Splunk_TA_ForIndexers .
  3. Select the contents for the package. You must select at least one of the following options to download the package.
    1. (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package.
    2. (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package.
  4. Click Download the Package to create and download the Splunk_TA_ForIndexers.
  5. After the add-on downloads, you can modify the contents of the package.
    For example, modify indexes.conf to conform with site retention settings and other storage options.
  6. Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.

 

Refer this link for more details : https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA...

View solution in original post

0 Karma

hazem
Path Finder

many thanks @jawahir007 

0 Karma

jawahir007
Communicator

There is an inbuilt package available with in Splunk ES.. You can follow the below steps to configure the Enterprise Security specific indexes in to the indexers

  1. On the Enterprise Security menu bar, select Configure > General > General Settings.
  2. Scroll to Distributed Configuration Management, and click Download Splunk_TA_ForIndexers .
  3. Select the contents for the package. You must select at least one of the following options to download the package.
    1. (Optional) Select the check box for Include index time properties to include the props.conf and transforms.conf files in the package.
    2. (Optional) Select the check box for Include index definitions to include the indexes.conf file in the package.
  4. Click Download the Package to create and download the Splunk_TA_ForIndexers.
  5. After the add-on downloads, you can modify the contents of the package.
    For example, modify indexes.conf to conform with site retention settings and other storage options.
  6. Use the cluster master to deploy the Splunk_TA_ForIndexers or add-ons to the cluster peers. See Manage common configurations across all peers and Manage app deployment across all peers in Managing Indexers and Clusters of Indexers.

When you install a new add-on to use with Enterprise Security, repeat these steps to create an updated version of Splunk_TA_ForIndexers.

 

Refer this link for more details : https://docs.splunk.com/Documentation/ES/7.3.2/Install/InstallTechnologyAdd-ons#Create_the_Splunk_TA...

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...