Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I configure Splunk Enterprise Security in an indexer cluster?

mgalos
New Member
‎12-03-2018 10:49 AM

I am not sure which Splunk ES related apps go where.

My deployment looks like the following:

Splunk universal forwarder (windows/linux/) + syslog ===> 2 Heavy Forwarders =====> 2 Indexers ======> 1 search head/master

I deployed the OS related TA app on the UF and the ES app config on the search head/mater. I am not sure where any of the SA or DA files need to go in addition to this.

Do i need to copy the app files into the indexers as well?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-03-2018 11:30 AM

ES should be on a dedicated search head. It's too demanding of resources to share a box with adhoc searches and cluster master.

Yes, TAs need to be installed on the indexers.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...