Splunk Enterprise Security

How do I configure Splunk Enterprise Security in an indexer cluster?

mgalos
New Member

I am not sure which Splunk ES related apps go where.

My deployment looks like the following:

Splunk universal forwarder (windows/linux/) + syslog ===> 2 Heavy Forwarders =====> 2 Indexers ======> 1 search head/master

I deployed the OS related TA app on the UF and the ES app config on the search head/mater. I am not sure where any of the SA or DA files need to go in addition to this.

Do i need to copy the app files into the indexers as well?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

ES should be on a dedicated search head. It's too demanding of resources to share a box with adhoc searches and cluster master.

Yes, TAs need to be installed on the indexers.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...