Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to deploy the Splunk App for Enterprise Security in an Indexer and Search Head Clustering environment?

masiddiqu
Explorer
‎04-23-2015 02:21 AM

Hi,

I am trying to simulate a cluster environment for the Splunk App for Enterprise Security. The setup is:

-Two Indexers in a cluster with Rep Factor =2 , search factor=2
-One search head for ES APP other one for third party apps.
-Dedicated Cluster Master & Deployer on a single machine.

I have installed the ES APP in the on the deployer and copied SA-ForIndexers, TA-*, Splunk_TA*, Splunk_SA* files to master-apps and pushed to the Indexer cluster. With this, it is able to create the indexes.

  1. Would like to know what are all the directories i need to copy/Push to the ES APP search head node?
  2. Do i need to create search head cluster, or just i can copy directly ES app related files for the search head?
  3. How do I ensure that the search head sends all the data to the Indexer cluster?

Thanks
siddiqu.T

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎04-23-2015 02:28 AM

Indexer Clustering and Search Head Clustering are two separate and distinct features. You need to understand the basics of both in order to run ES in both. Based on your environment description, you do not have Search Head Clustering in mind.

Regarding Indexer Clustering, you need a working cluster before you install ES. Once you have a valid working clustered indexer environment, then you can install ES. There is a SA-ForIndexers that comes with ES, this would be placed on your Cluster Master and distributed to each indexer. This is not through the deployer, the deployer is used for SHC.

For SHC, again you need to understand how this works before you try and deploy ES on this. There is a large list of issues you need to be aware of and understand before you even attempt this. Make sure you read the documentation at :

http://docs.splunk.com/Documentation/ES/3.2.2/Install/AdvancedImp

Reply

esix_splunk
Splunk Employee
Splunk Employee
‎04-23-2015 02:48 AM

If you have SHC configured, you need 3 search heads, you can follow the Documentation for deploying ES in SHC. It will involve all SA-* SplunkforEnterpriseSecurity* DA-* folders.

0 Karma
Reply

masiddiqu
Explorer
‎04-23-2015 02:40 AM

Hi,

I have completed the Index cluster and pushed the SA-ForIndexesrs via cluster master to the indexers. The indexes are created on both indexers.

For the search Head cluster, would like to know what are all directories/files we need to push to the search head nodes via deployer.

Thanks
siddiqu.T

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...